CVE-2018-1000170

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.115 and older Jenkins LTS versions 2.107.1 and older

Description A cross-site scripting issue exists in confirmationList.jelly and stopButton.jelly, allowing attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript. This JavaScript would be executed in another user's browser when that other user performs certain UI actions.

Recommendations For Jenkins versions 2.115 and older, update to a version newer than 2.115 to resolve the issue. For Jenkins LTS versions 2.107.1 and older, update to a version newer than 2.107.1 to resolve the issue.