Miggo Logo
Miggo Vulnerability Database
CVE-2024-28156

CVE-2024-28156: Jenkins Build Monitor View Plugin vulnerable to stored Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-28156
GHSA ID
GHSA-5j5r-6mv9-m255
EPSS Score
0.9689%
CWE
CWE-79
Published
3/6/2024
Updated
1/21/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:build-monitor-pluginmaven<= 1.14-860.vd06ef2568b

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from unescaped display of user-controlled view names. Jenkins Jelly templates typically use ${} expressions, and the advisory specifically calls out missing escaping. The high-confidence entry points to the main view rendering template where names are displayed. The medium-confidence entry addresses the configuration persistence layer, though the exact storage mechanism isn't explicitly documented in available sources. The pattern matches Jenkins' typical XSS vulnerabilities where user input flows through configuration forms to display templates without proper escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil* Monitor Vi*w Plu*in *.**-***.v**********_** *n* **rli*r *o*s not *s**p* *uil* Monitor Vi*w n*m*s, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs **l* to *on*i*ur* *uil* Monitor Vi*ws.

Reasoning

T** *or* vuln*r**ility st*ms *rom un*s**p** *ispl*y o* us*r-*ontroll** vi*w n*m*s. J*nkins J*lly t*mpl*t*s typi**lly us* ${} *xpr*ssions, *n* t** **visory sp**i*i**lly **lls out missin* *s**pin*. T** *i**-*on*i**n** *ntry points to t** m*in vi*w r*n*