-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
-
526.v859673312a_14
Description
Role-based Authorization Strategy does not escape the roles' name in his tooltip.
This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.
We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.
Recommendation
https://www.jenkins.io/doc/developer/security/xss-prevention/