ASA-2019-00096 – Jenkins: Cross-Site Scripting (XSS) vulnerability via user description in Blue Ocean

Blue Ocean did not properly escape HTML/JavaScript content set on the current user’s description field, resulting in a cross-site scripting vulnerability exploitable by administrators and other people accessing Jenkins with the same user account. Blue Ocean now properly escapes HTML/JavaScript content set on the current user’s description field.