Miggo Logo

CVE-2019-10336: Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability

4.7

CVSS Score
3.0

Basic Information

EPSS Score
0.23811%
Published
5/24/2022
Updated
12/22/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:electricflowmaven<= 1.1.61.1.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from JavaScript DOM manipulation functions in multiple configuration forms that used innerHTML to display ElectricFlow API responses. The commit 4550f86 shows these functions were patched by replacing innerHTML with textContent, which neutralizes HTML/JS interpretation. Since these functions handled server API responses that attackers could control, the insecure innerHTML usage directly enabled XSS payload injection into Jenkins configuration interfaces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *on*i*ur*tion *orms o* v*rious post-*uil* st*ps *ontri*ut** *y *lou****s ** Plu*in w*r* vuln*r**l* to *ross-sit* s*riptin*. T*is *llow** *tt**k*rs **l* to *ontrol t** output o* *onn**t** *l**tri**low s*rv*rs' *PIs to inj**t *r*itr*ry *TML *n* J*

Reasoning

T** vuln*r**ility st*mm** *rom J*v*S*ript *OM m*nipul*tion `*un*tions` in multipl* `*on*i*ur*tion` *orms t**t us** `inn*r*TML` to *ispl*y *l**tri**low *PI r*spons*s. T** *ommit `*******` s*ows t**s* `*un*tions` w*r* p*t**** *y r*pl**in* `inn*r*TML` w