Description
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781
Related Vulnerabilities
CVE-2022-41251 Vulnerability in maven package org.jenkins-ci.plugins:apprenda
CVE-2023-3691 Vulnerability in maven package org.webjars.bower:layui
CVE-2022-29546 Vulnerability in maven package net.sourceforge.nekohtml:nekohtml
CVE-2020-6452 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-40350 Vulnerability in maven package org.jenkins-ci.plugins:docker-swarm