CVE-2019-10336 — Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vuln

Description

The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.

How to fix CVE-2019-10336

To remediate CVE-2019-10336, upgrade the affected package to a fixed version below.

—upgrade to 1.1.7 or later

Is CVE-2019-10336 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10336
WEBgithub.com/jenkinsci/electricflow-plugin/commit/4550f86e75e0927be644958ed088e4fa82c783b7
WEBjenkins.io/security/advisory/2019-06-11/#SECURITY-1420
WEBweb.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747