Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.
{ "nvd_published_at": "2023-04-02T21:15:00Z", "github_reviewed_at": "2023-04-10T16:39:20Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }