CVE-2022-30970

Name of the Vulnerable Software and Affected Versions Jenkins Autocomplete Parameter Plugin versions 1.1 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin references certain parameter names in an unsafe manner from Javascript embedded in view definitions. This vulnerability is exploitable by attackers with Item/Configure permission. The vulnerability is independent of similar issues and can be exploited even on views that attempt to prevent XSS vulnerabilities in parameter names.

Recommendations For Jenkins Autocomplete Parameter Plugin versions 1.1 and earlier, consider disabling the use of Dropdown Autocomplete and Auto Complete String parameters until a patch is available. Restrict access to views that render these parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.