High severityNVD Advisory· Published Jun 30, 2022· Updated Aug 3, 2024

CVE-2022-34783

Description

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Plot Plugin 2.1.10 and earlier has stored XSS due to unescaped plot descriptions, exploitable by attackers with Item/Configure permission.

Jenkins Plot Plugin 2.1.10 and earlier fails to escape plot descriptions, creating a stored cross-site scripting (XSS) vulnerability [1][2]. The plot description field, intended for user-provided text, is rendered without proper sanitization, allowing malicious script injection.

To exploit this vulnerability, an attacker must have the Item/Configure permission for a Jenkins job [1][2]. No other special network access is required beyond standard Jenkins usage. The attacker can inject arbitrary HTML or JavaScript into the plot description, which will then be executed by any user viewing the plot configuration page or the plot's output.

Successful exploitation results in stored XSS, enabling the attacker to perform actions such as stealing session cookies, modifying job configurations, or executing arbitrary actions within the context of the victim's Jenkins session [1][2]. The injected script persists until the plot description is manually removed or the plugin is updated.

The issue is fixed in Plot Plugin version 2.1.11 [1][4]. Users are strongly advised to upgrade to this patched version to mitigate the vulnerability. There are no known workarounds, so updating the plugin is the recommended course of action.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:plotMaven	< 2.1.11	2.1.11

Affected products

Jenkins Project/Plot Pluginllm-fuzzy
Range: <=2.1.10
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/plot
Range: < 2.1.11
Jenkins Project/MATLAB Plugincpe-rescue
Range: unspecified

Patches

4b681af2888d

[SECURITY-2220] Escape plot description (#72)

https://github.com/jenkinsci/plot-pluginoffaJul 12, 2022via ghsa

commit

1 file changed · +1 −1

src/main/resources/hudson/plugins/plot/PlotReport/index.jelly+1 −1 modified

@@ -54,7 +54,7 @@
         <div style="width:750px">
           <j:if test="${it.getPlotDescription(index) != null}">
             <j:if test="${!it.getPlotDescription(index).isEmpty()}">
-              <b>Description</b>: <j:out value="${it.getPlotDescription(index)}"/>
+              <b>Description</b>: <span>${it.getPlotDescription(index)}</span>
             </j:if>
           </j:if>
         </div>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hpf7-mmqw-g6vqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-34783ghsaADVISORY
github.com/jenkinsci/plot-plugin/commit/4b681af2888da49c41863ccc9f6eaa3ea26367d8ghsaWEB
www.jenkins.io/security/advisory/2022-06-30/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.025
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000