Jenkins Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2022-34171
Reference:
CVE-2022-34171
Title:
Jenkins Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:
In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 39title39 attribute of 39l:ionicon39 (until Jenkins 2.334) and 39alt39 attribute of 39l:icon39 (since Jenkins 2.335) without further escaping resulting in a cross-site scripting (XSS) vulnerability.