[io.jenkins.plugins:code-coverage-api] Stored XSS vulnerability in Code Coverage API Plugin

Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration.

Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2106
• https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1680
• http://www.openwall.com/lists/oss-security/2020/01/29/1
• https://github.com/advisories/GHSA-xg77-xqhq-crpr