Description
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
Remediation
References
Related Vulnerabilities
Apache HTTP Server Resource Management Errors Vulnerability (CVE-2012-4557)
Internet Information Services Other Vulnerability (CVE-2002-0869)
TYPO3 Improper Restriction of XML External Entity Reference Vulnerability (CVE-2020-26229)
WordPress Plugin Moova for WooCommerce Cross-Site Scripting (3.5)
WordPress Plugin Oi Yandex.Maps for WordPress Cross-Site Scripting (3.2.7)