Cross-site scripting (XSS) vulnerability in the Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

The remote web server hosts a version of Jenkins (open source) or CloudBees Jenkins Enterprise that is affected by multiple vulnerabilities :

  - An error exists related to file upload processing that     allows a remote attacker to overwrite arbitrary files.
    (CVE-2013-2186)

  - An input validation error exists related to the included     'ZeroClipboard' component that allows cross-site     scripting attacks. (CVE-2014-1869)

  - An error exists related to 'CLI handshake' handling that     allows denial of service attacks. (CVE-2014-3661)

  - An error exists related to handling login attempts using     non-existent or incorrect account names that allows a     remote attacker to enumerate application user names.
    (CVE-2014-3662)

  - An error exists related to handling users having     'Job/CONFIGURE' permissions that allows such users to     perform actions meant only for 'Job/CREATE' permissions.
    (CVE-2014-3663)

  - An error exists related to handling users having     'Overall/READ' permissions that allows directory     traversal attacks. (CVE-2014-3664)

  - An error exists related to the 'CLI channel' that allows     arbitrary code execution by a remote attacker on the     Jenkins master. (CVE-2014-3666)

  - An error exists related to handling users having     'Overall/READ' permissions that allows plugin source     code to be disclosed. (CVE-2014-3667)

  - An input validation error exists related to the     'Monitoring' plugin that allows cross-site scripting     attacks. (CVE-2014-3678)

  - An error exists related to the 'Monitoring' plugin that     allows unauthorized access to sensitive information.
    (CVE-2014-3679)

  - An error exists related to handling users having     'Job/READ' permissions that allows such users to     obtain default passwords belonging to parameterized     jobs. (CVE-2014-3680)

  - An unspecified input validation error allows cross-site     scripting attacks. (CVE-2014-3681)

Jenkins Security Advisory :

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
78859	Jenkins < 1.583 / 1.565.3 and Jenkins Enterprise 1.532.x / 1.554.x / 1.565.x < 1.532.10.1 / 1.554.10.1 / 1.565.3.1 Multiple Vulnerabilities	Nessus	CGI abuses	critical
78017	FreeBSD : jenkins -- remote execution, privilege escalation, XSS, password exposure, ACL hole, DoS (549a2771-49cc-11e4-ae2c-c80aa9043978)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2014-3678

medium

Tenable Plugins

critical

high