Jenkins Gitlab Hook Plugin 1.4.2 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) Vulnerability

Summary

Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

Credit:

The information has been provided by Ai Ho

The original article can be found at:http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html


Details

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

 

Vulnerable Systems:

Jenkins Gitlab Hook Plugin 1.4.2

 

CVE Information:

CVE-2020-2096

 

Disclosure Timeline:
Published Date:1/15/2020

Categories: News