Overview
Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.
Details
The Jenkins ` markdown-formatter ` plugin can be abused by Stored Cross-Site Scripting vulnerability since the function `translate()` performs improper validation checks using `escapeHTML()` function on the input sent to the `description` parameter before rendering it in markdown format. Due to this flaw, an authenticated attacker can cause Stored Cross-Site Scripting.
PoC Details
On the Jenkins application with markdown-formatter installed, click on Manage Jenkins, select configureSecurity in security configuration category and then select the markup formatter as Markdown Format and save it. Then click on add description, and put the payload in the `description` text field, then submit the description. One hyperlink has been created in description and XSS will trigger once it is clicked.
PoC Code
[click me](javascript:alert`XSS`)
Affected Environments
0.1.0
Prevention
Upgrade to 0.2.0