{"id":"CVE-2021-21619","details":"Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.","aliases":["GHSA-48hr-jg4p-w4p4"],"modified":"2025-11-14T11:14:13.563047Z","published":"2021-02-24T16:15:14.983Z","references":[{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2021/02/24/3"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2021-02-24/#SECURITY-2188%20%281%29"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/claim-plugin","events":[{"introduced":"0"},{"last_affected":"b1f6b6851ec2ed87862957f9228217745e8c66f8"}]}],"versions":["claim-2.0","claim-2.1","claim-2.10","claim-2.11","claim-2.12","claim-2.13","claim-2.13.1","claim-2.14","claim-2.14.1","claim-2.15","claim-2.16","claim-2.17","claim-2.18","claim-2.18.1","claim-2.2","claim-2.3","claim-2.4","claim-2.5","claim-2.6","claim-2.7","claim-2.8","claim-2.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21619.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}