Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected Packages

Maven org.jenkins-ci.plugins:sonargraph-integration

Affected versions: 0 (last affected: 5.0.1)

Related CVEs

CVE-2023-35145

Key Information

GHSA ID

GHSA-wmxx-2pvr-x7j6

Published

June 14, 2023 3:30 PM

Last Modified

June 14, 2023 8:30 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:sonargraph-integration

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.