External Notification Plugin 1.2.1

1 minute read

RELEASED: Public: 2020-07-15

Security advisory

TBD

Security fixes

  • CloudBees Internal Ticket: [CTR-1928]

  • Fix stored XSS vulnerability in CloudBees External Notification Plugin

    The Manage Notification Webhook HTTP Endpoint page was not escaping the name of the webhooks. This vulnerability was exploitable by an attacker with permission to create new webhooks.

    With this fix, the webhooks names are escaped.

  • CloudBees Internal Ticket: [CTR-2099]

  • Fix stored XSS vulnerability in CloudBees External Notification Plugin

    The Manage Notification Webhook HTTP Endpoint page was not escaping the content of the tooltip of the Last Status column. This vulnerability was exploitable by an attacker (no permissions required) making a request to a webhook URL, which are usually stored in 3rd party aplications without encrypt.

    With this fix, the tooltip content is escaped.

New features

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

None.