CVE-2018-1000108

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Jenkins CppNCSS Plugin versions 1.1 and earlier. The flaw resides in the AbstractProjectAction/index.jelly view file, which does not properly sanitize user-visible output. An attacker can craft a malicious link to a Jenkins URL that, when accessed by a user with sufficient permissions, executes arbitrary JavaScript in the context of the user's browser session. The affected plugin versions are 1.1 and all prior releases [1][2].

Exploitation

An attacker does not require authentication to craft the malicious link, but the victim must be logged into Jenkins and follow the crafted URL. The attack is performed by embedding the XSS payload into a URL parameter that is reflected in the CppNCSS plugin's interface. No special network position is needed; the attacker only needs to deliver the link to a victim (e.g., via email, social engineering, or another web site) [1][2].

Impact

Successful exploitation allows the attacker to run arbitrary JavaScript in the victim's browser within the Jenkins session. This can lead to session hijacking, credential theft, unauthorized actions on the Jenkins server, or defacement. The attacker gains access to the victim's session and can perform any action that the victim is authorized to do in Jenkins [1][2].

Mitigation

Jenkins released CppNCSS Plugin version 1.2 on 2018-02-26, which fixes the vulnerability by properly escaping output in the AbstractProjectAction/index.jelly view. All users should update to version 1.2 or later immediately. No workarounds are documented for earlier versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].