Phu X. Mai

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.227 and earlier Jenkins LTS versions 2.204.5 and earlier **Description** The issue is related to the absence of HTTP Content-Security-Policy headers for files uploaded as file parameters to a build. This results in a stored cross-site scripting (XSS) vulnerability, which can be exploited by users with permissions to build a job with file parameters, allowing remote attackers to perform cross-site scripting attacks. **Recommendations** For Jenkins versions 2.227 and earlier, update to a version that sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter. For Jenkins LTS versions 2.204.5 and earlier, update to a version that sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter. As a temporary workaround, consider setting the system property `hudson.model.DirectoryBrowserSupport.CSP` to override the value of Content-Security-Policy headers sent when serving these files.