Security Researcher named as "Sony" have discovered and exposed a Persistent Cross site scripting vulnerability in Jenkins web application, Jenkins is an open-source continuous integration server with 300+ plugins to support all kinds of software development.
The websites Bnl.gov,Washington.edu,nps.edu and other sites which are using the Jenkins web app vulnerable to this attack.
The description and other fields are vulnerable to Persistent XSS, we can use "Edit Description" and put our xss Code inside. Researcher gave a Demo for the vulnerability : (it's not a deface, it's only demo with cross site scripting)
Poc:
http://jicama.cs.washington.edu:8080/hudson/user/Sony/
http://jicama.cs.washington.edu:8080/hudson/user/SonyStyles/
http://www.bnl.gov/world/
https://savage.nps.edu/jenkins/user/SonyStyles/
The websites Bnl.gov,Washington.edu,nps.edu and other sites which are using the Jenkins web app vulnerable to this attack.
The description and other fields are vulnerable to Persistent XSS, we can use "Edit Description" and put our xss Code inside. Researcher gave a Demo for the vulnerability : (it's not a deface, it's only demo with cross site scripting)
Poc:
http://jicama.cs.washington.edu:8080/hudson/user/Sony/
http://jicama.cs.washington.edu:8080/hudson/user/SonyStyles/
http://www.bnl.gov/world/
https://savage.nps.edu/jenkins/user/SonyStyles/