Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
{
"versions": [
{
"introduced": "0"
},
{
"fixed": "3.10.1"
},
{
"introduced": "867.v7c3a_b_83a_eb_79"
},
{
"fixed": "876.v99d29788b_36b_"
}
]
}