Jenkins Active Choices Plugin HTML Injection Vulnerability

Active Choices Plugin for Jenkins is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible.

Active Choices Plugin 1.5.3 and prior versions are vulnerable.


Bugtraq ID: 101538
Class: Input Validation Error
Remote: Yes
Local: No
Published: Oct 23 2017 12:00AM
Updated: Oct 23 2017 12:00AM
Credit: Daniel Beck from CloudBees Inc.
Vulnerable: Jenkins-Ci Active Choices Plugin 1.5.3
Jenkins-Ci Active Choices Plugin 1.5.2
Jenkins-Ci Active Choices Plugin 1.5.1
Jenkins-Ci Active Choices Plugin 1.5.0

Not Vulnerable: Jenkins-Ci Active Choices Plugin 2.0


An attacker can exploit this issue using a web browser.

Related Posts