Miggo Logo
Miggo Vulnerability Database
CVE-2023-27905

CVE-2023-27905: Cross site scripting vulnerability in update-center2

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-27905
GHSA ID
GHSA-pqg3-xfx2-fmqp
EPSS Score
0.77832%
CWE
CWE-79
Published
3/10/2023
Updated
5/19/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci:update-center2maven>= 3.13, < 3.153.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in HTML generation of plugin download pages where required core versions from plugin metadata are rendered unsanitized. The primary vulnerable function would be the HTML rendering method handling plugin data injection (HtmlOutputFormatter.writePluginRow), as this is where XSS would occur during output generation. Plugin.addVersion is included with lower confidence as it processes raw input but doesn't directly cause XSS. Analysis based on advisory details about unsanitized rendering and the security fix commit focusing on output filtering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins up**t*-**nt*r* *.** *n* *.** r*n**rs t** r*quir** J*nkins *or* v*rsion on plu*in *ownlo** in**x p***s wit*out s*nitiz*tion, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs **l* to provi** * plu*in *or *

Reasoning

T** vuln*r**ility o**urs in *TML **n*r*tion o* plu*in *ownlo** p***s w**r* r*quir** *or* v*rsions *rom plu*in m*t***t* *r* r*n**r** uns*nitiz**. T** prim*ry vuln*r**l* *un*tion woul* ** t** *TML r*n**rin* m*t*o* **n*lin* plu*in **t* inj**tion (`*tmlO