https://bugzilla.redhat.com/show_bug.cgi?id=1764366 Bug ID: 1764366 Summary: CVE-2019-10403 jenkins: Stored XSS vulnerability in SCM tag action tooltip Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins did not escape the tag name on the tooltip for tag actions shown in the build history. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the SCM tag name for these actions. References: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1537%20(1) -- You are receiving this mail because: You are on the CC list for the bug.