Kohsuke Kawaguchi reports: XSS vulnerability in Build failure analyzer plugin. If you enter javascript in the Description field for a failure cause, this is evaluated when a user loads the page for the build. Worse, when one loads the Failure Cause Management admin page, the javascript is evaluated during the load of that page as well. This was originally reported by Sharif Nassar
This is now public: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
Upstream patch commit: https://github.com/jenkinsci/build-failure-analyzer-plugin/commit/cf20a8df11e71e8652180d9fafd9bb47385067c7
Statement: Not affected. This issue did not affect Jenkins as shipped with various Red Hat products, as they do not include the Jenkins Build Failure Analyzer plugin.