Miggo Logo

CVE-2021-22510: Reflected XSS vulnerability in Jenkins Micro Focus Application Automation Tools Plugin

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.47273%
Published
5/24/2022
Updated
12/22/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:hp-application-automation-tools-pluginmaven<= 6.76.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unescaped use of convertResult.getConvertedTestsString() in the form validation response. The commit 9fbd698 explicitly adds Util.escape() to sanitize this output, confirming this was the vulnerable code path. The method handles user-supplied test data and returns HTML content without proper output encoding in vulnerable versions, matching the XSS vulnerability description in CVE-2021-22510 and GHSA-gc2r-ccfh-62v9.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*ro *o*us *ppli**tion *utom*tion Tools Plu*in *.* *n* **rli*r *o*s not *s**p* us*r input in * *orm v*li**tion r*spons*. T*is r*sults in * r**l**t** *ross-sit* s*riptin* (XSS) vuln*r**ility. Mi*ro *o*us *ppli**tion *utom*tion Tools Plu*in *.* *s**

Reasoning

T** vuln*r**ility st*ms *rom t** un*s**p** us* o* *onv*rtR*sult.**t*onv*rt**T*stsStrin*() in t** *orm v*li**tion r*spons*. T** *ommit ******* *xpli*itly ***s Util.*s**p*() to s*nitiz* t*is output, *on*irmin* t*is w*s t** vuln*r**l* *o** p*t*. T** m*t