[build-publisher] Admin only XSS

XMLWordPrintable

      Description

      Build-Publisher does not restrict protocols for the Public Hudson server URL.

      This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.

      We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.

      Recommendation
      Restrict allowed protocols to a safe subset like http(s) + mailto.

            Assignee:
            vjuranek
            Reporter:
            Kevin Guerroudj
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: