Kohsuke Kawaguchi reports:
XSS vulnerability in Build failure analyzer plugin.
If you enter javascript in the Description field for a failure cause, this is evaluated when a user loads the page for the build.
Worse, when one loads the Failure Cause Management admin page, the javascript is evaluated during the load of that page as well.
This was originally reported by Sharif Nassar
Statement:
Not affected. This issue did not affect Jenkins as shipped with various Red Hat products, as they do not include the Jenkins Build Failure Analyzer plugin.