CVE-2024-28160

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-28160
Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/03/06/3 Mailing List
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248 Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/03/06/3 Mailing List
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:icescrum:*:*:*:*:*:jenkins:*:*
History

07 May 2025, 14:23

Type Values Removed Values Added
CPE cpe:2.3:a:jenkins:icescrum:*:*:*:*:*:jenkins:*:*
References () http://www.openwall.com/lists/oss-security/2024/03/06/3 - () http://www.openwall.com/lists/oss-security/2024/03/06/3 - Mailing List
References () https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248 - () https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248 - Vendor Advisory
First Time Jenkins
Jenkins icescrum

21 Nov 2024, 09:05

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/03/06/3 - () http://www.openwall.com/lists/oss-security/2024/03/06/3 -
References () https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248 - () https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248 -

07 Nov 2024, 17:35

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8

01 May 2024, 18:15

Type Values Removed Values Added
Summary
  • (es) El complemento Jenkins iceScrum 1.1.6 y versiones anteriores no sanitiza las URL del proyecto iceScrum en las vistas de compilación, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas que pueden explotar los atacantes capaces de configurar trabajos.
References
  • () http://www.openwall.com/lists/oss-security/2024/03/06/3 -

06 Mar 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-06 17:15

Updated : 2025-05-07 14:23

NVD link : CVE-2024-28160

Mitre link : CVE-2024-28160

CVE.ORG link : CVE-2024-28160

JSON object : View

Products Affected

jenkins

  • icescrum
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')