CVE-2022-34188

Name of the Vulnerable Software and Affected Versions Jenkins Hidden Parameter Plugin versions 0.0.4 and earlier

Description The Jenkins Hidden Parameter Plugin does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability. This vulnerability is exploitable by attackers with Item/Configure permission. Exploitation requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2.

Recommendations For Jenkins Hidden Parameter Plugin versions 0.0.4 and earlier, consider disabling the plugin until a patch is available to prevent exploitation of the stored cross-site scripting (XSS) vulnerability. Restrict access to the "Build With Parameters" and "Parameters" pages provided by Jenkins (core) to minimize the risk of exploitation. Avoid using the name and description parameters of Hidden Parameter parameters in views displaying parameters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.