-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from how user-controlled input (config.php file names) was embedded into JavaScript code in the Jelly templates. The original code used 'onclick="return cfp_confirmDelete('${t.name}')"', which inserted the unescaped 't.name' into the JavaScript context. Attackers could inject arbitrary JavaScript via the config.php name. The fix moved the value to a 'data-confirm' attribute (HTML-encoded) and retrieved it via the DOM, avoiding direct script injection. The vulnerable functions are the JavaScript handlers in the Jelly files that improperly handled user input before the patch.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:config-file-provider | maven | < 3.5 | 3.5 |
Ongoing coverage of React2Shell