Description
Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.
Remediation
References
https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908
http://www.openwall.com/lists/oss-security/2020/09/16/3
Related Vulnerabilities
CVE-2017-15703 Vulnerability in maven package org.apache.nifi:nifi-web-api
CVE-2022-29172 Vulnerability in maven package org.webjars.npm:auth0-lock
CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector
CVE-2022-42009 Vulnerability in maven package org.apache.ambari:ambari
CVE-2012-6662 Vulnerability in maven package org.fujion.webjars:jquery-ui