CVE-2013-5573

Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.exploit-db.com/exploits/30408	Exploit
http://packetstormsecurity.com/files/124513	Exploit
http://seclists.org/fulldisclosure/2013/Dec/159
http://www.osvdb.org/101187
http://seclists.org/bugtraq/2013/Dec/104	Exploit
http://www.securityfocus.com/bid/64414
https://exchange.xforce.ibmcloud.com/vulnerabilities/89872

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:jenkins:1.523:*:*:*:*:*:*:*

Information

Published : 2013-12-31 08:04

Updated : 2017-08-28 18:33

NVD link : CVE-2013-5573

Mitre link : CVE-2013-5573

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

jenkins

jenkins

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.exploit-db.com/exploits/30408", "name": "30408", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://packetstormsecurity.com/files/124513", "name": "http://packetstormsecurity.com/files/124513", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://seclists.org/fulldisclosure/2013/Dec/159", "name": "20131217 [CVE-2013-5573] Jenkins v1.523 Default markup formatter permits offsite-bound forms", "tags": [], "refsource": "FULLDISC"}, {"url": "http://www.osvdb.org/101187", "name": "101187", "tags": [], "refsource": "OSVDB"}, {"url": "http://seclists.org/bugtraq/2013/Dec/104", "name": "20131217 [CVE-2013-5573] Jenkins v1.523 Default markup formatter permits offsite-bound forms", "tags": ["Exploit"], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/bid/64414", "name": "64414", "tags": [], "refsource": "BID"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89872", "name": "jenkins-cve20135573-xss(89872)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-5573", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2013-12-31T16:04Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:jenkins:jenkins:1.523:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:33Z"}