Low severityNVD Advisory· Published Nov 25, 2013· Updated Apr 29, 2026

CVE-2013-6374

Description

Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.5.1 for Jenkins allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzerMaven	< 1.5.1	1.5.1

Affected products

Jenkins Project/Build Failure Analyzer4 versions
cpe:2.3:a:jenkins-ci:build_failure_analyzer:1.2.0:-:*:*:*:cloudbees_jenkins:*:*+ 3 more
- cpe:2.3:a:jenkins-ci:build_failure_analyzer:1.2.0:-:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:build_failure_analyzer:1.3.0:-:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:build_failure_analyzer:1.4.0:-:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:build_failure_analyzer:*:-:*:*:*:cloudbees_jenkins:*:*range: <=1.5.0
ghsa-coords
pkg:maven/com.sonyericsson.jenkins.plugins.bfa/build-failure-analyzer
Range: < 1.5.1

Patches

cf20a8df11e7

Fix SECURITY-96

https://github.com/jenkinsci/build-failure-analyzer-pluginRobert SandellNov 19, 2013via ghsa

commit

2 files changed · +2 −2

src/main/resources/com/sonyericsson/jenkins/plugins/bfa/CauseManagement/index.groovy+1 −1 modified

@@ -110,7 +110,7 @@ l.layout(permission: PluginImpl.UPDATE_PERMISSION) {
             text(cause.getCategoriesAsString())
           }
           td{
-            raw(cause.getDescription())
+            raw(app.markupFormatter.translate(cause.getDescription()))
           }
           td {
             if (canRemove) {

src/main/resources/com/sonyericsson/jenkins/plugins/bfa/model/FailureCauseBuildAction/summary.jelly+1 −1 modified

@@ -64,7 +64,7 @@
             <tr>
                 <td/>
                 <td>
-                    ${cause.description}
+                    ${app.markupFormatter.translate(cause.description)}
                 </td>
             </tr>
             <tr>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/55783nvdVendor Advisory
github.com/advisories/GHSA-h52h-972r-68mhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-6374ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20nvdVendor AdvisoryWEB
github.com/jenkinsci/build-failure-analyzer-plugin/commit/cf20a8df11e71e8652180d9fafd9bb47385067c7ghsaWEB
wiki.jenkins-ci.org/display/JENKINS/Build+Failure+AnalyzernvdWEB
osvdb.org/100106nvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000