4.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10336

GHSA ID

GHSA-w3pj-v9jr-v2wc

EPSS Score

0.23811%

CWE

CWE-79

Published

5/24/2022

Updated

12/22/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10336

CVE-2019-10336:
Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability

The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting.

This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form.

CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.

(GitHub Advisory)

4.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10336

GHSA ID

GHSA-w3pj-v9jr-v2wc

EPSS Score

0.23811%

CWE

CWE-79

Published

5/24/2022

Updated

12/22/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:electricflow	maven	<= 1.1.6	1.1.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from JavaScript DOM manipulation functions in multiple configuration forms that used innerHTML to display ElectricFlow API responses. The commit 4550f86 shows these functions were patched by replacing innerHTML with textContent, which neutralizes HTML/JS interpretation. Since these functions handled server API responses that attackers could control, the insecure innerHTML usage directly enabled XSS payload injection into Jenkins configuration interfaces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *on*i*ur*tion *orms o* v*rious post-*uil* st*ps *ontri*ut** *y *lou****s ** Plu*in w*r* vuln*r**l* to *ross-sit* s*riptin*. T*is *llow** *tt**k*rs **l* to *ontrol t** output o* *onn**t** *l**tri**low s*rv*rs' *PIs to inj**t *r*itr*ry *TML *n* J*

Reasoning

T** vuln*r**ility st*mm** *rom J*v*S*ript *OM m*nipul*tion `*un*tions` in multipl* `*on*i*ur*tion` *orms t**t us** `inn*r*TML` to *ispl*y *l**tri**low *PI r*spons*s. T** *ommit `*******` s*ows t**s* `*un*tions` w*r* p*t**** *y r*pl**in* `inn*r*TML` w

4.7

Basic Information

Concerned about an active attack path?

CVE-2019-10336: Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability

4.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-10336:
Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability

Vulnerability Intelligence
Miggo AI