4 matches found
CVE-2022-34170
In Jenkins 2.320 through 2.355 both inclusive and LTS 2.332.1 through LTS 2.332.3 both inclusive the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting XSS vulnerability exploitable by attacker...
CVE-2022-34170
In Jenkins 2.320 through 2.355 both inclusive and LTS 2.332.1 through LTS 2.332.3 both inclusive the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting XSS vulnerability exploitable by attacker...
Cross site scripting
In Jenkins 2.320 through 2.355 both inclusive and LTS 2.332.1 through LTS 2.332.3 both inclusive the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting XSS vulnerability exploitable by attacker...
CVE-2022-34170
Summary (CVE-2022-34170): Jenkins core versions 2.320–2.355 and LTS 2.332.1–2.332.3 suffer an XSS in tooltips where the help icon’s tooltip does not escape the feature name, undoing the fix for SECURITY-1955. This enables stored XSS by attackers with Job/Configure permission via the UI. The issue...