RELEASED: Public: 2020-07-15
Security fixes
-
CloudBees Internal Ticket: [CTR-1980]
-
Fix stored XSS vulnerability in CloudBees Role-Based Access Control plugin
The text in Group descriptions and Role IDs could be used to store malicious code. This malicious code would then be run if users moused over icons to display tooltips that included the Group description or the Role ID.
With this fix, the text in both Group descriptions and Role IDs is escaped by using the configured markup formatter.