Menu

Search for hundreds of thousands of exploits

"Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting"

Author

Exploit author

"Ishaq Mohammed"

Platform

Exploit platform

java

Release date

Exploit published date

2019-07-12

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Exploit Title:  Persistent XSS - Dependency Graph View Plugin(v0.13)
# Vendor Homepage: https://wiki.jenkins.io/display/JENKINS/Dependency+Graph+View+Plugin
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# Platform: Java
# CVE: CVE-2019-10349
# Jenkins issue: #SECURITY-1177

1. Description:
The "Display Name" field in General Options of the Configure module in
Jenkins was found to be accepting arbitrary value which when loaded in the
Dependency Graph View module gets execute which makes it vulnerable to a
Stored/Persistent XSS.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10349
2. Proof of Concept:
Vulnerable Source
http://{jenkins-hostname:port}/jobs/{projectname}/configure
Steps to Reproduce:
Login to Jenkins Server with valid credentials and ensure that the
dependency graph plugin is installed.
1. Click on configure the Jenkins plugin.
2. Select advanced options
3. Enter the XSS payload in the "Display Name" field
4. Navigate to Dependency Graph module
5. Observe the Executed Payload
6. Payload used for the demo:

<img src="a" onerror="alert('jenkinsxss')">

3. Solution:
As of publication of this advisory, there is no fix.
The plugin hsa been abandoned by the maintainer


Reference
https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1177
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2019-07-12 "Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2017-12-26 "SilverStripe CMS 3.6.2 - CSV Excel Macro Injection" webapps php "Ishaq Mohammed"
2017-12-18 "Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution" webapps php "Ishaq Mohammed"
2017-11-13 "Kirby CMS < 2.5.7 - Cross-Site Scripting" webapps php "Ishaq Mohammed"
2017-10-25 "KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection" webapps nodejs "Ishaq Mohammed"
2017-10-25 "KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting" webapps nodejs "Ishaq Mohammed"
2017-10-13 "phpMyFAQ 2.9.8 - Cross-Site Scripting (2)" webapps php "Ishaq Mohammed"
2017-10-12 "OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting" webapps php "Ishaq Mohammed"
2017-09-21 "PHPMyFAQ 2.9.8 - Cross-Site Scripting (1)" webapps php "Ishaq Mohammed" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected