Antoine Ruffino

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.499 and earlier, LTS 2.492.1 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets, such as Build Queue and Build Executor Status widgets. This issue arises because the HTTP endpoint for toggling the collapsed/expanded status does not require POST requests, making it vulnerable to CSRF attacks. Additionally, the API accepts any string as the identifier of the panel ID to be toggled, allowing attacker-controlled content to be stored in the victim's user profile in Jenkins. **Recommendations** For Jenkins versions 2.499 and earlier, update to version 2.500 or later to resolve the issue. For LTS versions 2.492.1 and earlier, update to LTS version 2.492.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected HTTP endpoint until a patch is available. Avoid using the vulnerable API endpoint for toggling sidepanel widgets until the issue is resolved.