Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Checkmarx Plugin
*   Custom Build Properties Plugin
*   Gitea Plugin
*   Google Login Plugin
*   Plot Plugin
*   Sonar Gerrit Plugin
*   Spring Config Plugin

**Descriptions****XXE vulnerability in Plot Plugin**

**SECURITY-2940 / CVE-2022-46682**  
**Severity (CVSS):** High  
**Affected plugin: plot**  
**Description:**

Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Plot Plugin 2.1.12 disables external entity resolution for its XML parser.

**Open redirect vulnerability in Google Login Plugin**

**SECURITY-2967 / CVE-2022-46683**  
**Severity (CVSS):** Medium  
**Affected plugin: google-login**  
**Description:**

Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Google Login Plugin 1.7 only redirects to relative (Jenkins) URLs.

**Stored XSS vulnerability in Checkmarx Plugin**

**SECURITY-2869 / CVE-2022-46684**  
**Severity (CVSS):** High  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.

Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability.

While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.

Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.

**Improper credentials masking in Gitea Plugin**

**SECURITY-2661 / CVE-2022-46685**  
**Severity (CVSS):** Medium  
**Affected plugin: gitea**  
**Description:**

Gitea Plugin support authentication with Gitea personal access tokens.

In Gitea Plugin 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs.

Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens.

Administrators unable to update are advised to use SSH checkout instead.

**Stored XSS vulnerability in Custom Build Properties Plugin**

**SECURITY-2810 / CVE-2022-46686**  
**Severity (CVSS):** High  
**Affected plugin: custom-build-properties**  
**Description:**

Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.

Custom Build Properties Plugin 2.82.v16d5b\_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

**Stored XSS vulnerability in Spring Config Plugin**

**SECURITY-2814 / CVE-2022-46687**  
**Severity (CVSS):** High  
**Affected plugin: spring-config**  
**Description:**

Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

Spring Config Plugin 2.0.1 escapes build display names shown on the Spring Config view.

**CSRF vulnerability in Sonar Gerrit Plugin**

**SECURITY-1002 / CVE-2022-46688**  
**Severity (CVSS):** Medium  
**Affected plugin: sonar-gerrit**  
**Description:**

Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

**Severity**

*   SECURITY-1002: Medium
*   SECURITY-2661: Medium
*   SECURITY-2810: High
*   SECURITY-2814: High
*   SECURITY-2869: High
*   SECURITY-2940: High
*   SECURITY-2967: Medium

**Affected Versions**

*   **Checkmarx Plugin** up to and including 2022.3.3
*   **Custom Build Properties Plugin** up to and including 2.79.vc095ccc85094
*   **Gitea Plugin** up to and including 1.4.4
*   **Google Login Plugin** up to and including 1.6
*   **Plot Plugin** up to and including 2.1.11
*   **Sonar Gerrit Plugin** up to and including 377.v8f3808963dc5
*   **Spring Config Plugin** up to and including 2.0.0

**Fix**

*   **Checkmarx Plugin** should be updated to version 2022.4.3
*   **Custom Build Properties Plugin** should be updated to version 2.82.v16d5b\_d3590c7
*   **Gitea Plugin** should be updated to version 1.4.5
*   **Google Login Plugin** should be updated to version 1.7
*   **Plot Plugin** should be updated to version 2.1.12
*   **Spring Config Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Sonar Gerrit Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Asi Greenholts of Cider Security** for SECURITY-2661
*   **CC Bomber, Kitri BoB** for SECURITY-2940
*   **Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2810, SECURITY-2869
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1002
*   **Valdes Che Zogou, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2967

CVE-2022-46686: Jenkins Security Advisory 2022-12-07

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

CVE-2022-46688: Jenkins Security Advisory 2022-12-07

Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.

CVE-2022-46684: Jenkins Security Advisory 2022-12-07

In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.

CVE-2022-46685: Jenkins Security Advisory 2022-12-07

SENS v1.0 is vulnerable to Cross Site Scripting (XSS) via com.liuyanzhao.sens.web.controller.admin, getRegister.

This project allows for user registration. Audit the source code of registered users, the code location is com.liuyanzhao.sens.web.controller.admin#getRegister

The getRegister() method calls the userService.insert() method.

The insert() method calls the basicUserCheck(user) method.

The basicUserCheck() is used to check whether the form data is valid. In the basicUserCheck() method, parameters such as username length are restricted  
But there is a problem here, which is that the code only limits the length, not the characters. So you can do XSS injection here.  
Use the website provided by the project author to demonstrate the vulnerability.  
The username is set to the payload of xss during user registration.

In this way, whether the malicious user comments on the article or publishes the article, the operation will be attacked by XSS.  
The following is a malicious user comment, other users will access the XSS attack.

Solution: Add a filtering mechanism

CVE-2022-45758: The XSS vulnerability exists in the latest version of SENS · Issue #19 · saysky/SENS

SENS v1.0 is vulnerable to Cross Site Scripting (XSS).

This project allows new users to register. New users are only allowed to post articles and need to be reviewed by an administrator.  
This function is implemented in the project code: com.liuyanzhao.sens.web.controller.admin#pushPost  
The specific code is as follows:

    @PostMapping(value = "/save")
        @ResponseBody
        @SystemLog(description = "保存文章", type = LogTypeEnum.OPERATION)
        public JsonResult pushPost(@ModelAttribute Post post,
                                   @RequestParam("cateList") List<Long> cateIds,
                                   @RequestParam("tagList") String tagList) {
    
            checkCategoryAndTag(cateIds, tagList);
            User user = getLoginUser();
            Boolean isAdmin = loginUserIsAdmin();
            //1、如果开启了文章审核，非管理员文章默认状态为审核
            Boolean isOpenCheck = StringUtils.equals(SensConst.OPTIONS.get(BlogPropertiesEnum.OPEN_POST_CHECK.getProp()), TrueFalseEnum.TRUE.getValue());
            if (isOpenCheck && !isAdmin) {
                post.setPostStatus(PostStatusEnum.CHECKING.getCode());
            }
            post.setUserId(getLoginUserId());
    
            //2、非管理员只能修改自己的文章，管理员都可以修改
            Post originPost = null;
            if (post.getId() != null) {
                originPost = postService.get(post.getId());
                if (!Objects.equals(originPost.getUserId(), user.getId()) && !isAdmin) {
                    return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.permission-denied"));
                }
                //以下属性不能修改
                post.setUserId(originPost.getUserId());
                post.setPostViews(originPost.getPostViews());
                post.setCommentSize(originPost.getCommentSize());
                post.setPostLikes(originPost.getPostLikes());
                post.setCommentSize(originPost.getCommentSize());
                post.setDelFlag(originPost.getDelFlag());
            }
            //3、提取摘要
            int postSummary = 100;
            if (StringUtils.isNotEmpty(SensConst.OPTIONS.get(BlogPropertiesEnum.POST_SUMMARY.getProp()))) {
                postSummary = Integer.parseInt(SensConst.OPTIONS.get(BlogPropertiesEnum.POST_SUMMARY.getProp()));
            }
            //文章摘要
            String summaryText = HtmlUtil.cleanHtmlTag(post.getPostContent());
            if (summaryText.length() > postSummary) {
                String summary = summaryText.substring(0, postSummary);
                post.setPostSummary(summary);
            } else {
                post.setPostSummary(summaryText);
            }
    
            //4、分类标签
            List<Category> categories = categoryService.cateIdsToCateList(cateIds, user.getId());
            post.setCategories(categories);
            if (StringUtils.isNotEmpty(tagList)) {
                List<Tag> tags = tagService.strListToTagList(user.getId(), StringUtils.deleteWhitespace(tagList));
                post.setTags(tags);
            }
            //当没有选择文章缩略图的时候，自动分配一张内置的缩略图
            if (StringUtils.equals(post.getPostThumbnail(), BlogPropertiesEnum.DEFAULT_THUMBNAIL.getProp())) {
                String staticUrl = SensConst.OPTIONS.get(BlogPropertiesEnum.BLOG_STATIC_URL.getProp());
                if (!Strings.isNullOrEmpty(staticUrl)) {
                    post.setPostThumbnail(staticUrl + "/static/images/thumbnail/img_" + RandomUtil.randomInt(0, 14) + ".jpg");
                } else {
                    post.setPostThumbnail("/static/images/thumbnail/img_" + RandomUtil.randomInt(0, 14) + ".jpg");
                }
            }
            post.setPostType(PostTypeEnum.POST_TYPE_POST.getValue());
            postService.insertOrUpdate(post);
            if (isOpenCheck && !isAdmin) {
                return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), "文章已提交审核");
            }
            return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.common.operation-success"));
        }
    

After auditing the code, you can see that there is an xss attack without any wrapping or filtering.  
It is found that the content of the article will be encoded using escapeHTML(), and the article data will be included in the p tag.  
XSS injection can be performed by grabbing traffic packets and directly modifying postTitle or postContent.  
Use the website provided by the project author to demonstrate the vulnerability.  
At this point, the revised content has been submitted for review.  
  
The administrator will be attacked by XSS when logging in to the audit page.  
  
Another problem is that when other undetected xss attacks are used, the administrator will approve them. In this case, storage xss will be formed and all users will be attacked by xss, which is extremely harmful

Solution: Add a filtering mechanism

CVE-2022-45756: The XSS vulnerability exists in the latest version of SENS · Issue #17 · saysky/SENS

Cross-site Scripting (XSS) - DOM in GitHub repository nuxt/framework prior to v3.0.0-rc.13.

CVE-2022-4414

Cross-site Scripting (XSS) - Reflected in GitHub repository nuxt/framework prior to v3.0.0-rc.13.

@@ -1,7 +1,7 @@ import { createRenderer, renderResourceHeaders } from 'vue-bundle-renderer/runtime' import type { RenderResponse } from 'nitropack' import type { Manifest } from 'vite' import { appendHeader, getQuery, writeEarlyHints } from 'h3' import { appendHeader, createError, getQuery, writeEarlyHints } from 'h3' import devalue from '@nuxt/devalue' import { joinURL } from 'ufo' import { renderToString as \_renderToString } from 'vue/server-renderer' @@ -121,6 +121,10 @@ export default defineRenderHandler(async (event) => { const ssrError \= event.req.url?.startsWith('/\_\_nuxt\_error') ? getQuery(event) as Exclude<NuxtApp\['payload'\]\['error'\], Error\> : null if (ssrError && event.req.socket.readyState !== 'readOnly' /\* direct request \*/) { throw createError('Cannot directly render error page!') }  
let url \= ssrError?.url as string || event.req.url!  
// Whether we are rendering payload route

CVE-2022-4413: fix(nuxt): disallow directly rendering error page (#8673) · nuxt/framework@253c8f7

phpMyFAQ prior to version 3.1.9 is vulnerable to reflected Cross-site Scripting (XSS).

**phpMyFAQ vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Dec 11, 2022 • Updated Dec 12, 2022

GHSA-cp9c-phxx-55xm: phpMyFAQ vulnerable to Cross-site Scripting

phpMyFAQ prior to version 3.1.9 is vulnerable to stored Cross-site Scripting (XSS).

Tag

#xss