RELEASED: Public: 2020-07-15
Security fixes
-
CloudBees Internal Ticket: [CTR-1928]
-
Fix stored XSS vulnerability in CloudBees External Notification Plugin
The Manage Notification Webhook HTTP Endpoint page was not escaping the name of the webhooks. This vulnerability was exploitable by an attacker with permission to create new webhooks.
With this fix, the webhooks names are escaped.
-
CloudBees Internal Ticket: [CTR-2099]
-
Fix stored XSS vulnerability in CloudBees External Notification Plugin
The Manage Notification Webhook HTTP Endpoint page was not escaping the content of the tooltip of the Last Status column. This vulnerability was exploitable by an attacker (no permissions required) making a request to a webhook URL, which are usually stored in 3rd party aplications without encrypt.
With this fix, the tooltip content is escaped.