Moderate severityNVD Advisory· Published Jul 31, 2019· Updated Aug 4, 2024
CVE-2019-10360
CVE-2019-10360
Description
A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.m2release:m2releaseMaven | < 0.15.0 | 0.15.0 |
Affected products
1- Range: 0.14.0 and earlier
Patches
1d32dcfe65302[SECURITY-1184]
11 files changed · +12 −4
src/main/resources/org/jvnet/hudson/plugins/m2release/dashboard/RecentReleasesPortlet/config.jelly+1 −1 modified@@ -21,7 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --> - +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry title="${%Name}"> <f:textbox name="portlet.name" field="name"/>
src/main/resources/org/jvnet/hudson/plugins/m2release/dashboard/RecentReleasesPortlet/main.jelly+2 −0 modified@@ -22,7 +22,9 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --> +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:dp="/hudson/plugins/view/dashboard" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> + <table class="sortable pane bigtable" id="projectStatus"> <tr><td class="pane-header" colspan="5">${it.displayName}</td></tr> <j:set var="recentReleases" value="${it.getRecentReleases(50)}"/>
src/main/resources/org/jvnet/hudson/plugins/m2release/dashboard/RecentReleasesPortlet/portlet.jelly+1 −1 modified@@ -21,7 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --> - +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:dp="/hudson/plugins/view/dashboard" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <dp:decorate portlet="${it}" width="2"> <j:set var="recentReleases" value="${it.getRecentReleases(5)}"/>
src/main/resources/org/jvnet/hudson/plugins/m2release/LastReleaseListViewColumn/columnHeader.jelly+1 −1 modified@@ -21,7 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --> - +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core"> <th>${%Last Release}</th> </j:jelly> \ No newline at end of file
src/main/resources/org/jvnet/hudson/plugins/m2release/LastReleaseListViewColumn/column.jelly+1 −1 modified@@ -21,7 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --> - +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt"> <j:set var="info" value="${it.getLastReleaseInfoOf(job)}" />
src/main/resources/org/jvnet/hudson/plugins/m2release/M2ReleaseAction/failed.jelly+1 −0 modified@@ -1,6 +1,7 @@ <!-- The user tried to schedule a build but it failed. --> +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <l:layout> <l:main-panel>
src/main/resources/org/jvnet/hudson/plugins/m2release/M2ReleaseAction/index.jelly+1 −0 modified@@ -3,6 +3,7 @@ This belongs to a build view. --> +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <l:layout norefresh="true"> <l:main-panel>
src/main/resources/org/jvnet/hudson/plugins/m2release/M2ReleaseBadgeAction/badge.jelly+1 −0 modified@@ -1,3 +1,4 @@ +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core"> <j:choose> <j:when test="${it.isFailedBuild()}">
src/main/resources/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapper/config.jelly+1 −0 modified@@ -1,3 +1,4 @@ +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <!-- This jelly script is used for per-project configuration.
src/main/resources/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapper/global.jelly+1 −0 modified@@ -1,3 +1,4 @@ +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <!-- This Jelly script is used to produce the global configuration option.
src/main/resources/org/jvnet/hudson/plugins/m2release/ReleaseCause/description.jelly+1 −0 modified@@ -1,3 +1,4 @@ +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <p>${%releasedBy(it.userName,rootURL)}</p> </j:jelly>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-79rm-f26g-296pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10360ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/07/31/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/m2release-plugin/commit/d32dcfe65302eeae550c022429d1e28e30c94757ghsaWEB
- jenkins.io/security/advisory/2019-07-31/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.