Advisories for Maven/Org.jenkins-Ci.plugins/Icescrum package

2024

Jenkins iceScrum Plugin vulnerable to stored Cross-site Scripting

Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

2019

Incorrect Permission Assignment for Critical Resource

A missing permission check in Jenkins iceScrum Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Cross-Site Request Forgery (CSRF)

A cross-site request forgery vulnerability in Jenkins iceScrum Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

Cleartext Storage of Sensitive Information

Jenkins iceScrum Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.