The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side). Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround: 'MyspacePolicy' permits tag("form", "action", ONSITE_OR_OFFSITE_URL, "method"); Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely. References: http://seclists.org/fulldisclosure/2013/Dec/159
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.1 Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html
Mitigation: 'MyspacePolicy' permits tag("form", "action", ONSITE_OR_OFFSITE_URL, "method"); Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.