CVE-2022-30970: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 18, 2022 (updated June 1, 2022)

Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

References

github.com/advisories/GHSA-cj9j-v8jp-6hm9
nvd.nist.gov/vuln/detail/CVE-2022-30970
www.jenkins.io/security/advisory/2022-05-17/

Code Behaviors & Features

Detect and mitigate CVE-2022-30970 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →