Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.
{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:jenkins:github:*:*:*:*:*:jenkins:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.46.0.1"
}
]
}