Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
{
"source": "CPE_RANGE",
"cpe": [
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*"
],
"extracted_events": [
{
"introduced": "2.483"
},
{
"fixed": "2.551"
},
{
"introduced": "2.492.1"
},
{
"fixed": "2.541.2"
}
]
}