CVE-2021-22510
Description
Reflected XSS in Micro Focus Application Automation Tools Plugin for Jenkins up to version 6.7 allows arbitrary JavaScript execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Micro Focus Application Automation Tools Plugin for Jenkins up to version 6.7 allows arbitrary JavaScript execution.
Vulnerability
Reflected cross-site scripting (XSS) vulnerability in the Micro Focus Application Automation Tools Plugin for Jenkins, affecting all versions 6.7 and earlier. The plugin fails to sanitize user input in the doTestConvert method, allowing arbitrary HTML/JavaScript injection [1][2].
Exploitation
An attacker can exploit this by crafting a malicious URL containing the payload and tricking a Jenkins user with access to the plugin's configuration into clicking it. No authentication or special permissions are required for the attacker to craft the URL, but the victim must be logged in to Jenkins [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or other actions on behalf of the victim [1][2].
Mitigation
The vulnerability is fixed in plugin version 6.8 or later, as evidenced by the commit that adds output escaping using hudson.Util.escape [4]. Users should upgrade to the latest version. As of the advisory no workarounds are mentioned [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:hp-application-automation-tools-pluginMaven | < 6.8 | 6.8 |
Affected products
1Patches
19fbd69840104[SECURITY-2175]
1 file changed · +3 −1
src/main/java/com/microfocus/application/automation/tools/octane/testrunner/TestsToRunConverterBuilder.java+3 −1 modified@@ -39,6 +39,7 @@ import hudson.Extension; import hudson.FilePath; import hudson.Launcher; +import hudson.Util; import hudson.model.*; import hudson.tasks.BuildStepDescriptor; import hudson.tasks.Builder; @@ -219,7 +220,8 @@ public FormValidation doTestConvert( TestsToRunConverterResult convertResult = TestsToRunConvertersFactory.createConverter(testsToRunFramework) .setFormat(format) .convert(rawTests, TestsToRunConverterBuilder.DEFAULT_EXECUTING_DIRECTORY); - return ConfigurationValidator.wrapWithFormValidation(true, "Conversion is successful : <div style=\"margin-top:20px\">" + convertResult.getConvertedTestsString() + "</div>"); + String result = Util.escape(convertResult.getConvertedTestsString()); + return ConfigurationValidator.wrapWithFormValidation(true, "Conversion is successful : <div style=\"margin-top:20px\">" + result + "</div>"); } catch (Exception e) { return ConfigurationValidator.wrapWithFormValidation(false, "Failed to convert : " + e.getMessage()); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
1- Jenkins Security Advisory 2021-04-07Jenkins Security Advisories · Apr 7, 2021