Description
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.
Remediation
References
Related Vulnerabilities
IBM WebSEAL Weak Password Requirements Vulnerability (CVE-2024-35137)
WordPress Plugin FeedWordPress Cross-Site Scripting (2014.0805)
Joomla! Core Multiple Cross-Site Scripting Vulnerabilities (2.5.0 - 3.9.1)
Moodle Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-20187)
Jboss EAP Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2019-9518)