Description
Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.
Remediation
References
https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2809
Related Vulnerabilities
CVE-2021-32014 Vulnerability in npm package xlsx
CVE-2023-36470 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-default
CVE-2019-10375 Vulnerability in maven package hudson.plugins.filesystem_scm:filesystem_scm
CVE-2020-35200 Vulnerability in maven package org.igniterealtime.openfire.plugins:clientcontrol
CVE-2021-21605 Vulnerability in maven package org.jenkins-ci.main:jenkins-core