Description
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).
Remediation
References
Related Vulnerabilities
WordPress Plugin Multisite Plugin Manager Multiple Cross-Site Scripting Vulnerabilities (3.1.1)
Internet Information Services CVE-2001-0146 Vulnerability (CVE-2001-0146)
WordPress Plugin WP ULike Cross-Site Scripting (3.1)
Drupal Core 4.7.x Multiple Cross-Site Scripting Vulnerabilities (4.7.0 - 4.7.6)
WordPress Plugin Weather Effect-Christmas Santa Snow Falling Cross-Site Request Forgery (1.3.3)