Description
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781
Related Vulnerabilities
CVE-2019-10294 Vulnerability in maven package org.jenkins-ci.plugins:kmap-jenkins
CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-controller
CVE-2023-37944 Vulnerability in maven package org.datadog.jenkins.plugins:datadog
CVE-2023-40350 Vulnerability in maven package org.jenkins-ci.plugins:docker-swarm
CVE-2021-21166 Vulnerability in maven package org.webjars.npm:electron