Description
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
Remediation
References
http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
http://www.openwall.com/lists/oss-security/2020/01/15/1
https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
Related Vulnerabilities
CVE-2020-8124 Vulnerability in maven package org.webjars.bowergithub.unshiftio:url-parse
CVE-2023-26486 Vulnerability in npm package vega-functions
CVE-2022-25979 Vulnerability in maven package org.webjars.npm:jsuites
CVE-2020-15138 Vulnerability in maven package org.webjars:prismjs
CVE-2019-10770 Vulnerability in maven package io.ratpack:ratpack-core