Lotfi Yahi

**Name of the Vulnerable Software and Affected Versions** Jenkins Extensible Choice Parameter Plugin versions 239.v5f5c278708cf and earlier **Description** A cross-site request forgery (CSRF) issue exists in the Jenkins Extensible Choice Parameter Plugin. This allows attackers to execute sandboxed Groovy code. **Recommendations** Update Jenkins Extensible Choice Parameter Plugin to a version later than 239.v5f5c278708cf.

**Name of the Vulnerable Software and Affected Versions** Jenkins AnchorChain Plugin version 1.0 **Description** The issue allows attackers to exploit a stored cross-site scripting (XSS) vulnerability by controlling the input file for the Anchor Chain post-build step. This is due to the plugin not limiting URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme. **Recommendations** For Jenkins AnchorChain Plugin version 1.0, consider disabling the Anchor Chain post-build step until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to workspace content to minimize the risk of attackers controlling the input file.