Description
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781
Related Vulnerabilities
CVE-2020-5280 Vulnerability in maven package org.http4s:http4s-server
CVE-2018-8039 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http
CVE-2022-39353 Vulnerability in maven package org.webjars.npm:xmldom
CVE-2020-7768 Vulnerability in npm package @grpc/grpc-js
CVE-2020-7760 Vulnerability in maven package org.webjars:codemirror