{"id":"CVE-2020-2194","details":"Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability.","aliases":["GHSA-q397-w28f-jx97"],"modified":"2026-04-11T20:41:09.898543Z","published":"2020-06-03T13:15:10.853Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2020/06/03/3"},{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1842"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/echarts-api-plugin","events":[{"introduced":"0"},{"last_affected":"fcc73f79274522a5b3fbcaacbd76fb78e39526e1"}],"database_specific":{"cpe":"cpe:2.3:a:jenkins:echarts_api:*:*:*:*:*:jenkins:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"4.7.0-3"}],"source":"CPE_FIELD"}}],"versions":["echarts-api-4.4.0-1-beta1","echarts-api-4.4.0-2-beta1","echarts-api-4.4.0-3-beta1","echarts-api-4.4.0-4-beta1","echarts-api-4.4.0-5-beta1","echarts-api-4.4.0-6-beta1","echarts-api-4.4.0-7-beta1","echarts-api-4.4.0-8-beta1","echarts-api-4.6.0-1-beta1","echarts-api-4.6.0-10","echarts-api-4.6.0-2-beta1","echarts-api-4.6.0-3-beta1","echarts-api-4.6.0-4-beta1","echarts-api-4.6.0-5-beta1","echarts-api-4.6.0-7","echarts-api-4.6.0-8","echarts-api-4.6.0-9","echarts-api-4.7.0-1","echarts-api-4.7.0-2","echarts-api-4.7.0-3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-2194.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}