CVE-2022-27197

Name of the Vulnerable Software and Affected Versions Jenkins Dashboard View Plugin versions 2.18 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Dashboard View Plugin does not perform URL validation for the Iframe Portlet's Iframe source URL, making it exploitable by attackers who can configure views.

Recommendations For Jenkins Dashboard View Plugin versions 2.18 and earlier, update to version 2.18.1 or later, which performs URL validation for the Iframe Portlet's Iframe source URL and sets the sandbox attribute for the iframe to restrict the included page. As a temporary workaround, consider using the Java system property hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue to customize the sandbox attribute value. Alternatively, the Java system property hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox can be used to disable the sandbox completely, but this is not recommended as it may increase the risk of exploitation.