Description
Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
Remediation
References
https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2884
Related Vulnerabilities
CVE-2020-11022 Vulnerability in maven package org.webjars.npm:jquery
CVE-2019-1003071 Vulnerability in maven package hudson.plugins.octopusdeploy:octopusdeploy
CVE-2018-1199 Vulnerability in maven package org.springframework.security:spring-security-web
CVE-2022-43414 Vulnerability in maven package org.jenkins-ci.plugins:nunit
CVE-2023-36468 Vulnerability in maven package org.xwiki.platform:xwiki-platform-core