Description
Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.
Remediation
References
https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1918
Related Vulnerabilities
CVE-2019-3894 Vulnerability in maven package org.wildfly:wildfly-ee
CVE-2021-22114 Vulnerability in maven package org.springframework.integration:spring-integration-zip
CVE-2023-30518 Vulnerability in maven package io.jenkins.plugins:thycotic-secret-server
CVE-2023-28103 Vulnerability in npm package matrix-react-sdk
CVE-2017-12625 Vulnerability in maven package org.apache.hive.hcatalog:hive-hcatalog-core