CVE-2018-1000113

Vulnerability

Jenkins TestLink Plugin versions 2.12 and earlier contain a stored cross-site scripting (XSS) vulnerability in TestLinkBuildAction/summary.jelly and other related views. An attacker who can control TestLink report names (e.g., through the TestLink API or by compromising the TestLink server) can inject arbitrary HTML and JavaScript into Jenkins pages that display those names. The issue affects all builds using the plugin with a TestLink connection configured [1][2].

Exploitation

An attacker must have the ability to set or modify TestLink report names on the TestLink server. This can be achieved through write access to TestLink database records or by compromising a TestLink admin account. Once a malicious report name containing JavaScript payloads (e.g., in double quotes or script tags) is stored, any Jenkins user viewing the TestLink build action page will trigger the script in their browser. No special Jenkins permissions are required for the victim beyond viewing the affected build dashboard [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a Jenkins user's session. This can lead to session hijacking, credential theft, arbitrary actions performed on behalf of the logged-in user, or exposing sensitive build information. The attack does not require direct access to Jenkins itself, only the ability to influence data from the connected TestLink instance [1][2].

Mitigation

The Jenkins security advisory (2018-02-26) does not mention a specific fixed version for the TestLink Plugin. As of the advisory date, users are advised to upgrade to a patched version if one becomes available. No workaround, such as disabling the affected views, was provided in the references. Users should monitor the plugin update page and apply any future release that resolves the XSS issue [1][2].