Miggo Logo
Miggo Vulnerability Database
CVE-2020-2175

CVE-2020-2175: Stored XSS vulnerability in Jenkins FitNesse Plugin

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2020-2175
GHSA ID
GHSA-f6vx-3fq6-hxm8
EPSS Score
0.37199%
CWE
CWE-79
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:fitnessemaven<= 1.311.32

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches show that the getName methods in ResultsDetails and FitnesseResults were modified to escape user-controlled input, indicating these were the vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *itN*ss* Plu*in *.** *n* **rli*r *o*s not *orr**tly *s**p* r*port *ont*nts ***or* s*owin* t**m on t** J*nkins UI. T*is r*sults in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y us*rs **l* to *ontrol t** XML input *il*s pro*

Reasoning

T** p*t***s s*ow t**t t** `**tN*m*` m*t*o*s in `R*sults**t*ils` *n* `*itn*ss*R*sults` w*r* mo*i*i** to *s**p* us*r-*ontroll** input, in*i**tin* t**s* w*r* t** vuln*r**l* *un*tions.