Moderate severityNVD Advisory· Published Sep 25, 2019· Updated Aug 4, 2024

CVE-2019-10401

Description

Stored XSS in Jenkins f:expandableTextBox form control allows users with Job/Configure permission to inject arbitrary HTML/JavaScript.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Jenkins f:expandableTextBox form control allows users with Job/Configure permission to inject arbitrary HTML/JavaScript.

In Jenkins versions 2.196 and earlier, and LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded [1][2][3]. This design flaw results in a stored cross-site scripting (XSS) vulnerability, as the text content is rendered without proper HTML escaping upon expansion.

To exploit this vulnerability, an attacker must have Job/Configure permission to define the content of the f:expandableTextBox form control [1][3]. When a victim accesses a configuration page containing the malicious payload, the textbox expands and the embedded HTML/JavaScript executes in the victim's browser context, within the Jenkins session.

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Jenkins UI, potentially leading to session hijacking, credential theft, or further privilege escalation within Jenkins [1][2].

Jenkins has addressed this issue in versions 2.197, LTS 2.176.4, and LTS 2.190.1 by no longer interpreting f:expandableTextBox content as HTML when expanding the field [1][2][4]. Users are advised to upgrade to these or later versions to mitigate the risk.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 2.176.4	2.176.4
org.jenkins-ci.main:jenkins-coreMaven	>= 2.177, < 2.197	2.197

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.main/jenkins-core
Range: < 2.176.4
Jenkins Project/Jenkinscpe-rescue
Range: 2.196 and earlier, LTS 2.176.3 and earlier

Patches

df600eb7a28d

[SECURITY-1498]

https://github.com/jenkinsci/jenkinsWadeck FollonierSep 10, 2019via ghsa

commit

3 files changed · +93 −2

test/src/test/java/lib/form/ExpandableTextboxSEC1498Test.java+58 −0 added

@@ -0,0 +1,58 @@
+package lib.form;
+
+import com.gargoylesoftware.htmlunit.html.HtmlElementUtil;
+import com.gargoylesoftware.htmlunit.html.HtmlInput;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.model.FreeStyleProject;
+import hudson.model.Job;
+import jenkins.model.OptionalJobProperty;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.TestExtension;
+
+import static org.junit.Assert.assertEquals;
+
+//TODO meant to be merged back into ExpandableTextboxTest after security release to avoid conflict during the upmerge process
+public class ExpandableTextboxSEC1498Test {
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Test
+    public void noXssUsingInputValue() throws Exception {
+        XssProperty xssProperty = new XssProperty("</textarea><h1>HACK</h1>");
+        FreeStyleProject p = j.createFreeStyleProject();
+        p.addProperty(xssProperty);
+
+        JenkinsRule.WebClient wc = j.createWebClient();
+        HtmlPage configurePage = wc.getPage(p, "configure");
+
+        int numberOfH1Before = configurePage.getElementsByTagName("h1").size();
+
+        HtmlInput xssInput = configurePage.getElementByName("_.xss");
+        HtmlInput expandButton = (HtmlInput) xssInput.getParentNode().getNextSibling().getFirstChild();
+        HtmlElementUtil.click(expandButton);
+
+        // no additional h1, meaning the "payload" is not interpreted
+        int numberOfH1After = configurePage.getElementsByTagName("h1").size();
+
+        assertEquals(numberOfH1Before, numberOfH1After);
+    }
+    
+    public static final class XssProperty extends OptionalJobProperty<Job<?,?>> {
+        
+        private String xss;
+        
+        public XssProperty(String xss){
+            this.xss = xss;
+        }
+
+        public String getXss() {
+            return xss;
+        }
+
+        @TestExtension("noXssUsingInputValue")
+        public static class DescriptorImpl extends OptionalJobProperty.OptionalJobPropertyDescriptor {
+        }
+    }
+}

test/src/test/resources/lib/form/ExpandableTextboxSEC1498Test/XssProperty/config-details.jelly+29 −0 added

@@ -0,0 +1,29 @@
+<!--
+The MIT License
+
+Copyright (c) 2019, CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
+    <f:entry field="xss">
+        <f:expandableTextbox />
+    </f:entry>
+</j:jelly>
\ No newline at end of file

war/src/main/webapp/scripts/hudson-behavior.js+6 −2 modified

@@ -1505,8 +1505,12 @@ function expandTextArea(button,id) {
         n = n.parentNode;
     }
 
-    n.parentNode.innerHTML = 
-        "<textarea rows=8 class='setting-input' name='"+field.name+"'>"+value+"</textarea>";
+    var parent = n.parentNode;
+    parent.innerHTML = "<textarea rows=8 class='setting-input'></textarea>";
+    var textArea = parent.childNodes[0];
+    textArea.name = field.name;
+    textArea.innerText = value;
+
     layoutUpdateCallback.call();
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hg6g-jj7g-x6v2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10401ghsaADVISORY
www.openwall.com/lists/oss-security/2019/09/25/3ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/jenkins/commit/df600eb7a28dea189c41037398fd36fcea36302eghsaWEB
jenkins.io/security/advisory/2019-09-25/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000