Description
Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.
Remediation
References
https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1918
Related Vulnerabilities
CVE-2020-13445 Vulnerability in maven package com.liferay:com.liferay.portal.template.freemarker
CVE-2017-2650 Vulnerability in maven package cprice404:pipeline-classpath
CVE-2018-6341 Vulnerability in maven package org.webjars.npm:react-dom
CVE-2019-1003088 Vulnerability in maven package egor-n:fabric-beta-publisher
CVE-2021-41084 Vulnerability in maven package org.http4s:http4s-server_3