Jenkins Security Advisory:
Description
SECURITY-171, SECURITY-177 (Reflective XSS vulnerability)
An attacker without any access to Jenkins can navigate the user
to a carefully crafted URL and have the user execute unintended
actions. This vulnerability can be used to attack Jenkins inside
firewalls from outside so long as the location of Jenkins is known
to the attacker.
SECURITY-180 (forced API token change)
The part of Jenkins that issues a new API token was not
adequately protected against anonymous attackers. This allows an
attacker to escalate privileges on Jenkins.