CVE-2024-28160: Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS)…

high8.8CVSS 3.1

AVNACLPRLUINSUCHIHAH

Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

Affected

13 ranges

Vendor	Product	Version range	Fixed in
jenkins	appspider_plugin	—	—
jenkins	bitbucket_branch_source_plugin	—	—
jenkins	build_monitor_view_plugin	—	—
jenkins	delphix_plugin	—	—
jenkins	gitbucket_plugin	—	—
jenkins	html_publisher_plugin	—	—
jenkins	icescrum	<= 1.1.6	—
jenkins	improper_input_sanitization_in_html_publisher_plugin	—	—
jenkins	mq_notifier_plugin	—	—
jenkins	owasp_dependency-check_plugin	—	—
jenkins	subversion_partial_release_manager_plugin	—	—
jenkins	tls_certificate_validation_in_delphix_plugin	—	—
jenkins_project	jenkins_icescrum_plugin	<= 1.1.6	—