Description

Test Results Analyzer lack of escape in TestResultsAnalyzerAction/index.jelly#L211-L214.

It’s also possible to deface the application dues to TestResultsAnalyzerAction/index.jelly#L25-L37.

This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.

We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.

Recommendation

• (minimum) escape the variable, with Util.escape (from Jenkins Core),
• (better) or inject the Java variable value following best practice from https://www.jenkins.io/doc/developer/security/xss-prevention/#passing-values-to-javascript.