CVE-2022-34790

The Jenkins eXtreme Feedback Panel Plugin versions 2.0.1 and earlier fail to properly escape job names when rendering tooltips. This allows an attacker to inject malicious scripts that are stored and later executed in the context of other users viewing the tooltip. [1][2]

Exploitation requires an attacker to have Item/Configure permission on a Jenkins job. The attacker can set a job name containing malicious JavaScript. When other users hover over the tooltip, the script executes. No additional authentication is needed for the victim beyond viewing the dashboard. [1]

Successful exploitation leads to stored cross-site scripting (XSS), enabling the attacker to perform actions on behalf of the victim, such as modifying job configurations, accessing credentials, or executing arbitrary commands on the Jenkins controller. [1][2]

The vulnerability is fixed in version 2.0.2 of the plugin. Users should upgrade immediately. As of the advisory date, no workaround is mentioned. The plugin is open source and available on GitHub. [1][3]