Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step. Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step. Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035 https://github.com/jenkinsci/jenkins/commit/8c451b08886561a914ef0c30cbb9d40ea33a9bbe