Eddie Allan

**Name of the Vulnerable Software and Affected Versions** Jenkins global-build-stats plugin version 1.4 and earlier **Description** The issue concerns reflected cross-site scripting and cross-site request forgery vulnerabilities. Some URLs provided by the plugin returned JSON responses containing request parameters with a Content Type of text/html, which could be interpreted as HTML by clients. Furthermore, certain URLs that modify data did not require POST requests, potentially allowing for cross-site request forgery. **Recommendations** For Jenkins global-build-stats plugin version 1.4 and earlier, update to a version later than 1.4 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's URLs that modify data to minimize the risk of cross-site request forgery, and ensure that clients properly handle JSON responses to prevent reflected cross-site scripting.