Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
{
"cpe": [
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*"
],
"extracted_events": [
{
"introduced": "2.483"
},
{
"fixed": "2.568"
},
{
"introduced": "2.492.1"
},
{
"fixed": "2.555.3"
}
],
"source": "CPE_RANGE"
}