Description

Build-Publisher does not restrict protocols for the Public Hudson server URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.

We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.

Recommendation
Restrict allowed protocols to a safe subset like http(s) + mailto.