VYPR
← All advisories
Moderate severityOSV Advisory· Published Jan 25, 2019· Updated Aug 4, 2024

CVE-2019-6804

CVE-2019-6804

Description

Stored XSS in Rundeck Community Edition Job Edit page via unsanitized script file text.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Rundeck Community Edition Job Edit page via unsanitized script file text.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Job Edit page of Rundeck Community Edition before version 3.0.13 [1][4]. The issue is located in the workflowStepEditorKO.js and views/execution/_wfitemEdit.gsp files [1]. Specifically, the scriptfileText value, entered by the user when creating or editing a script step, was rendered using text in some places but html via KO bindings in the preview block [4]. This allowed unsanitized HTML or JavaScript to be stored and later executed in the context of another user editing or viewing the job.

Exploitation

An attacker with permissions to create or edit jobs can inject malicious HTML or JavaScript into the script file text field. When an administrator or other user views or edits that job, the injected script is rendered unsafely via the html knockout binding (changed from text in the fix) [4]. The attacker does not need any special network position beyond authenticated access to the Rundeck interface. The steps are: (1) navigate to the Job Edit page, (2) create a new script step, (3) set the script file name or text to include a payload (e.g., ``), (4) save the job. Any subsequent visit to that job’s edit page triggers execution of the payload [3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim’s session in the Rundeck web UI. This can lead to session theft, credential exfiltration, unauthorized job execution, or other actions as the affected user. The attack is stored, meaning the payload persists across sessions and can affect multiple users without further interaction from the attacker beyond creating/modifying the job [3].

Mitigation

Rundeck Community Edition version 3.0.13 contains the fix, released in January 2019 [1][2]. The patch replaces unsafe html knockout bindings with text bindings in the script step preview area, preventing script execution [4]. Users should upgrade to 3.0.13 or later. No workaround is provided in the public references; as of this writing, the vulnerability is not listed on the CISA KEV. Users of later versions (e.g., 4.x) are not affected [2].

References
  1. NVD - CVE-2019-6804
  2. GitHub - rundeck/rundeck: Enable Self-Service Operations: Give specific users access to your existing tools, services, and scripts
  3. Security: stored XSS vulnerability
  4. Merge pull request #4407 from rundeck/issue/4406-stored-xss · rundeck/rundeck@e992e94

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.rundeck:rundeckMaven
< 3.0.133.0.13

Affected products

2

Patches

2
dcc2589f4c5d
https://github.com/rundeck/rundeckvia osv
commit
e992e94bba22

Merge pull request #4407 from rundeck/issue/4406-stored-xss

https://github.com/rundeck/rundeckGreg SchuelerJan 22, 2019via ghsa
commit
2 files changed · +4 4
  • rundeckapp/grails-app/assets/javascripts/workflowStepEditorKO.js+3 3 modified
    @@ -388,7 +388,7 @@ function ScriptStep(data) {
     self.argStringAsQuotedWithScriptfile = ko.computed(function () {
         var isq = self.argsQuoted() ? '"' : '';
         return isq
-            + '<em>' + self.scriptfileText() +'</em> '
+            + self.scriptfileText() + ' '
             + self.args()
             + isq;
     });
@@ -410,7 +410,7 @@ function ScriptStep(data) {
     self.invocationPreviewHtml = ko.computed(function () {
         var text = '';
         if (self.invocationString() && self.invocationString().indexOf('${scriptfile}') >= 0) {
-            text += self.invocationString().split('\$\{scriptfile\}').join('<em>' + self.scriptfileText() +'</em>') + ' ' + self.argStringAsQuoted();
+            text += self.invocationString().split('\$\{scriptfile\}').join(  self.scriptfileText() ) + ' ' + self.argStringAsQuoted();
         } else if (self.invocationString()) {
             text += self.invocationString() + ' ' + self.argStringAsQuotedWithScriptfile();
         } else {
@@ -527,4 +527,4 @@ function WorkflowStep(data) {
         },
         ignore: ['editor']
     }, this);
-}
\ No newline at end of file
+}
  • rundeckapp/grails-app/views/execution/_wfitemEdit.gsp+1 1 modified
    @@ -564,7 +564,7 @@
                             <div class="col-sm-2 control-label"><g:message code="Workflow.step.script.execution.preview.label" /></div>
 
                             <div id='interpreterArgsQuotedHelp${rkey}_preview' class="col-sm-10 form-control-static">
-                                <code>$ <span data-bind="html: invocationPreviewHtml"></span></code>
+                                <code>$ <span data-bind="text: invocationPreviewHtml"></span></code>
                             </div>
 
                             <g:embedJSON id="scriptStepData_${rkey}" data="${[invocationString: item?.scriptInterpreter?:'',fileExtension: item?.fileExtension?:'',args: item?.argString?:'',argsQuoted: item?.interpreterArgsQuoted?true:false]}"/>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.