Description
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
Remediation
References
Related Vulnerabilities
Atlassian Jira Improper Authentication Vulnerability (CVE-2022-0540)
WordPress Plugin ZdStatistics Cross-Site Scripting (2.0.1)
Jboss EAP Improper Restriction of XML External Entity Reference Vulnerability (CVE-2017-12629)
Drupal Core 4.7.x Security Bypass (4.7.0 - 4.7.7)
WordPress Plugin YITH Maintenance Mode Multiple Cross-Site Scripting Vulnerabilities (1.3.8)