Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation.

This results in a reflected cross-site scripting (XSS) vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2199
• https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1726
• http://www.openwall.com/lists/oss-security/2020/06/03/3