CVE-2019-10336
Description
A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers controlling ElectricFlow API output to inject arbitrary HTML and JavaScript via reflected XSS in job configuration forms.
Vulnerability
Overview
CVE-2019-10336 is a reflected cross-site scripting (XSS) vulnerability in the Jenkins ElectricFlow Plugin, affecting versions 1.1.6 and earlier. The plugin failed to properly sanitize output from the ElectricFlow API when rendering job configuration forms that include post-build steps. This allowed an attacker who can control the API's output to inject arbitrary HTML and JavaScript into those forms [1][2].
Exploitation
The attack is possible because the plugin uses innerHTML to set label content in several JavaScript functions (addParameterRowForDeployApplication, addParameterRowForRunPipeline, addParameterRowForRunProcedure). The commit fixing the issue shows that these assignments were changed from innerHTML to textContent, which prevents script execution by treating the API output as plain text rather than HTML [4]. An attacker must be able to influence the ElectricFlow API response that the Jenkins plugin consumes; this typically requires some level of access to the ElectricFlow system or the ability to craft malicious API responses (e.g., via a compromised or malicious ElectricFlow server).
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a Jenkins user's browser session when they view or edit a job configuration containing the affected post-build steps. This can lead to session hijacking, credential theft, or other client-side attacks against Jenkins administrators or users with job configuration access.
Mitigation
The vulnerability was fixed in ElectricFlow Plugin version 1.1.7, released on June 11, 2019 [3]. Users should upgrade to this version or later. No workarounds are documented; Jenkins administrators should ensure they are running the latest version of the plugin.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.7 | 1.1.7 |
Affected products
2- Jenkins project/Jenkins ElectricFlow Pluginv5Range: 1.1.6 and earlier
Patches
14550f86e75e0[SECURITY-1420]
4 files changed · +8 −8
src/main/resources/org/jenkinsci/plugins/electricflow/ElectricFlowDeployApplication/config.jelly+2 −2 modified@@ -158,12 +158,12 @@ All rights reserved. function addParameterRowForDeployApplication(row, label, value, isCheckbox) { var td1 = document.createElement('td'); td1.className = 'setting-leftspace'; - td1.innerHTML = ''; + td1.textContent = ''; row.appendChild(td1); var td2 = document.createElement('td'); td2.className = 'setting-name'; - td2.innerHTML = label; + td2.textContent = label; row.appendChild(td2); var td3 = document.createElement('td');
src/main/resources/org/jenkinsci/plugins/electricflow/ElectricFlowPipelinePublisher/config.jelly+2 −2 modified@@ -143,12 +143,12 @@ All rights reserved. function addParameterRowForRunPipeline(row, label, value) { var td1 = document.createElement('td'); td1.className = 'setting-leftspace'; - td1.innerHTML = ''; + td1.textContent = ''; row.appendChild(td1); var td2 = document.createElement('td'); td2.className = 'setting-name'; - td2.innerHTML = label; + td2.textContent = label; row.appendChild(td2); var td3 = document.createElement('td');
src/main/resources/org/jenkinsci/plugins/electricflow/ElectricFlowRunProcedure/config.jelly+2 −2 modified@@ -145,12 +145,12 @@ All rights reserved. function addParameterRowForRunProcedure(row, label, value, isCheckbox) { var td1 = document.createElement('td'); td1.className = 'setting-leftspace'; - td1.innerHTML = ''; + td1.textContent = ''; row.appendChild(td1); var td2 = document.createElement('td'); td2.className = 'setting-name'; - td2.innerHTML = label; + td2.textContent = label; row.appendChild(td2); var td3 = document.createElement('td');
src/main/resources/org/jenkinsci/plugins/electricflow/ElectricFlowTriggerRelease/config.jelly+2 −2 modified@@ -178,12 +178,12 @@ All rights reserved. function addParameterRowForTriggerRelease(row, label, value, isCheckbox) { var td1 = document.createElement('td'); td1.className = 'setting-leftspace'; - td1.innerHTML = ''; + td1.textContent = ''; row.appendChild(td1); var td2 = document.createElement('td'); td2.className = 'setting-name'; - td2.innerHTML = label; + td2.textContent = label; row.appendChild(td2); var td3 = document.createElement('td');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-w3pj-v9jr-v2wcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10336ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/06/11/1ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108747mitrevdb-entryx_refsource_BID
- github.com/jenkinsci/electricflow-plugin/commit/4550f86e75e0927be644958ed088e4fa82c783b7ghsaWEB
- jenkins.io/security/advisory/2019-06-11/ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747ghsaWEB
News mentions
0No linked articles in our index yet.