CVE-2020-2290

Name of the Vulnerable Software and Affected Versions Jenkins Active Choices Plugin versions 2.4 and earlier

Description The issue results in a stored cross-site scripting (XSS) vulnerability, which is exploitable by attackers with Job/Configure permission. This occurs because some return values of sandboxed scripts for Reactive Reference Parameters, specifically List and Map return values, are not properly escaped. The vulnerability allows attackers to inject malicious scripts, potentially leading to unauthorized access or data theft.

Recommendations For Jenkins Active Choices Plugin versions 2.4 and earlier, update to version 2.5 or later, which properly escapes all legal return values of sandboxed scripts, thereby resolving the stored XSS vulnerability.