CVE-2019-10349
Description
Stored XSS in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allows attackers with job configuration access to inject arbitrary HTML and JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allows attackers with job configuration access to inject arbitrary HTML and JavaScript.
The vulnerability is a stored cross-site scripting (XSS) in the Jenkins Dependency Graph Viewer Plugin versions 0.13 and earlier [2][3]. It allows users who can configure jobs to inject arbitrary HTML and JavaScript into plugin-provided web pages, because user-controlled job parameters are not sanitized before being rendered in the dependency graph view.
Exploitation requires the attacker to have Job/Configure permission or equivalent ability to modify job settings [3]. The attacker can embed malicious script in job names, descriptions, or other configuration fields that are displayed in the dependency graph. When other users (e.g., administrators or developers) view the graph, the script executes in their browser session.
A successful attack can lead to session hijacking, credential theft, or further compromise of the Jenkins instance, as the injected script runs in the context of the victim's session and can perform actions on their behalf.
The plugin had no fix available at the time of disclosure in July 2019 [4]. The advisory recommends disabling the plugin or applying appropriate access controls as a workaround [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:depgraph-viewMaven | < 0.14 | 0.14 |
Affected products
2- Range: 0.13 and earlier
Patches
1288496fd2e6fFix SECURITY-1177
1 file changed · +3 −1
src/main/java/hudson/plugins/depgraph_view/model/graph/ProjectNode.java+3 −1 modified@@ -22,6 +22,8 @@ package hudson.plugins.depgraph_view.model.graph; +import org.apache.commons.lang.StringEscapeUtils; + import com.google.common.base.Preconditions; import hudson.model.AbstractProject; @@ -41,7 +43,7 @@ public ProjectNode(AbstractProject<?, ?> project) { } public String getName() { - return project.getFullDisplayName(); + return StringEscapeUtils.escapeHtml(project.getFullDisplayName()); } public AbstractProject<?, ?> getProject() {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4wj7-rh5h-5qmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10349ghsaADVISORY
- packetstormsecurity.com/files/153610/Jenkins-Dependency-Graph-View-0.13-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2019/07/11/4ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/109156ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/depgraph-view-plugin/commit/288496fd2e6fe922da3b43067e73cfac07a910e8ghsaWEB
- jenkins.io/security/advisory/2019-07-11/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.