3 matches found
Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this...
Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip parameters. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescap...
Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping. This vulnerability is known to be exploitable by attackers with...