Vulnerability Description
Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Sonargraph Integration | <= 5.0.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/06/14/5Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3155Vendor Advisory
- http://www.openwall.com/lists/oss-security/2023/06/14/5Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3155Vendor Advisory
FAQ
What is CVE-2023-35145?
CVE-2023-35145 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerabil...
How severe is CVE-2023-35145?
CVE-2023-35145 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-35145?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Sonargraph Integration.