Description
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781
Related Vulnerabilities
CVE-2020-6467 Vulnerability in maven package org.webjars.npm:electron
CVE-2022-41248 Vulnerability in maven package org.jenkins-ci.plugins:bigpanda-jenkins
CVE-2023-27095 Vulnerability in maven package cn.hippo4j:hippo4j-core
CVE-2021-21290 Vulnerability in maven package io.netty:netty-testsuite
CVE-2019-10279 Vulnerability in maven package org.jenkins-ci.plugins:jenkins-reviewbot