Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages.

Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow.

Affected Packages

Maven org.jenkins-ci.plugins:electricflow

Affected versions: 0 (fixed in 1.1.7)

Related CVEs

CVE-2019-10335

Key Information

GHSA ID

GHSA-fx9p-2qvx-pgjv

Published

May 24, 2022 4:47 PM

Last Modified

October 26, 2023 10:19 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:electricflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.