{"id":"GHSA-5qx5-vg5w-5mx3","summary":"Stored XSS vulnerability in Jenkins Badge Plugin","details":"Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.","aliases":["CVE-2022-23108"],"modified":"2024-02-16T08:17:07.766755Z","published":"2022-01-13T00:00:54Z","database_specific":{"severity":"MODERATE","github_reviewed_at":"2022-04-29T04:37:47Z","github_reviewed":true,"nvd_published_at":"2022-01-12T20:15:00Z","cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23108"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/badge-plugin"},{"type":"WEB","url":"https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2547"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2022/01/12/6"}],"affected":[{"package":{"name":"org.jenkins-ci.plugins:badge","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.plugins/badge"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.9.1"}]}],"versions":["1.0","1.1","1.2","1.3","1.4","1.5","1.6","1.7","1.8","1.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-5qx5-vg5w-5mx3/GHSA-5qx5-vg5w-5mx3.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}