#VU22270 Reflected cross-site scripting in build-metrics - CVE-2019-10475
Published: October 24, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU22270
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-10475
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
build-metrics
build-metrics
Software vendor:
Jenkins
Jenkins
Description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "label" query parameter. The vulnerability allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.