CVE-2024-28160
Description
Jenkins iceScrum Plugin 1.1.6 and earlier has a stored XSS vulnerability via unsanitized project URLs on build views, allowing attackers with job configuration permissions to execute arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins iceScrum Plugin 1.1.6 and earlier has a stored XSS vulnerability via unsanitized project URLs on build views, allowing attackers with job configuration permissions to execute arbitrary JavaScript.
Vulnerability
Overview Jenkins iceScrum Plugin version 1.1.6 and earlier fails to sanitize iceScrum project URLs when displayed on build views. This results in a stored cross-site scripting (XSS) vulnerability [1][3]. The plugin does not validate or encode URLs before rendering them in the Jenkins UI.
Exploitation
An attacker with Item/Configure permission can set a malicious project URL in a job configuration. When a build is executed, the crafted URL is stored and later rendered on build-related pages without sanitization, leading to script execution in the browser of any user viewing those pages [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the Jenkins context. This could lead to session hijacking, credential theft, or further unauthorized actions within Jenkins [1].
Mitigation
Status As of the Jenkins Security Advisory 2024-03-06, this vulnerability remains unresolved; the plugin is listed among issues without a fix [2]. Users are advised to avoid using the plugin or restrict permissions to trusted users only.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:icescrumMaven | <= 1.1.6 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2pc2-h97h-2mmwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28160ghsaADVISORY
- www.jenkins.io/security/advisory/2024-03-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2024/03/06/3ghsaWEB
News mentions
1- Jenkins Security Advisory 2024-03-06Jenkins Security Advisories · Mar 6, 2024