Jesper Den Boer

**Name of the Vulnerable Software and Affected Versions** billboard.js versions prior to 3.18.0 **Description** billboard.js versions before 3.18.0 are susceptible to malicious JavaScript execution. This occurs because of inadequate sanitization when binding chart options. The issue allows an attacker to inject and run malicious code within the application using billboard.js. **Recommendations** Update billboard.js to version 3.18.0 or later.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue arises from the `stripImages` and `stripIframes` methods not properly processing inputs, which leads to XSS vectors. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to improper handling of input, which could lead to a cross-site scripting (XSS) vector. Specifically, this concerns the `StringHelper::truncate` method. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wrapper extensions (affected versions not specified) **Description** The issue arises from inadequate input validation in the wrapper extensions, leading to Cross-Site Scripting (XSS) vectors. XSS is a type of security vulnerability that allows an attacker to inject malicious scripts into a website, potentially stealing user data or taking control of the user's session. In this case, the lack of proper content filtering in various components of the wrapper extensions makes them susceptible to XSS vulnerabilities. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Custom Fields component (affected versions not specified) **Description** The issue is related to the Custom Fields component not correctly filtering inputs, which leads to a cross-site scripting (XSS) vector. This means an attacker could potentially inject malicious scripts into the component, affecting the security of the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to the fancyselect list field layout, which does not correctly escape inputs. This leads to a self-XSS vector, allowing potential exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Lockable Resources Plugin versions 2.4 and earlier **Description** The issue allows attackers to inject arbitrary JavaScript code in web pages rendered by the plugin due to a cross-site scripting vulnerability. This can be exploited by attackers who can control resource names, potentially allowing a remote attacker to inject arbitrary JavaScript code into web pages displayed by the plugin. **Recommendations** For Jenkins Lockable Resources Plugin versions 2.4 and earlier, consider updating to a version later than 2.4 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.115 and older Jenkins LTS versions 2.107.1 and older **Description** A cross-site scripting issue exists in confirmationList.jelly and stopButton.jelly, allowing attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript. This JavaScript would be executed in another user's browser when that other user performs certain UI actions. **Recommendations** For Jenkins versions 2.115 and older, update to a version newer than 2.115 to resolve the issue. For Jenkins LTS versions 2.107.1 and older, update to a version newer than 2.107.1 to resolve the issue.