Jenkins: >> Jenkins >> 2.189 Security Vulnerabilities
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
CVSS Score
4.8
EPSS Score
0.005
Published
2019-09-25
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
CVSS Score
4.8
EPSS Score
0.005
Published
2019-08-28
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-08-28
Page 11