CVE-2022-30961

Name of the Vulnerable Software and Affected Versions Jenkins Autocomplete Parameter Plugin versions 1.1 and earlier

Description The issue results in a stored cross-site scripting (XSS) vulnerability due to the failure to escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters. This vulnerability is exploitable by attackers with Item/Configure permission. Exploitation requires that parameters are listed on another page and that those pages are not hardened to prevent exploitation. It is noted that Jenkins (core) has prevented exploitation of similar vulnerabilities on certain pages since version 2.44 and LTS 2.32.2.

Recommendations For Jenkins Autocomplete Parameter Plugin versions 1.1 and earlier, consider updating to a version that fixes this issue, although the specific fixed version is not provided in the available information. As a temporary workaround, ensure that pages listing parameters, such as the "Build With Parameters" and "Parameters" pages, are hardened to prevent exploitation. Additionally, review the configuration of Jenkins (core) and other plugins to ensure they are updated to prevent similar vulnerabilities, as several plugins have been updated to list parameters in a way that prevents exploitation by default. At the moment, there is no information about a newer version that contains a fix for this vulnerability.