This advisory announces vulnerabilities in the following Jenkins deliverables:
Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Scriptler Plugin 3.3 escapes parameter names shown in job configuration forms.
Scriptler Plugin 3.1 and earlier does not escape script content.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Scriptler Plugin 3.2 escapes script content.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: