CVE-2020-2175: 
Java vulnerability analysis and mitigation

Jenkins FitNesse Plugin versions 1.31 and earlier contain a stored cross-site scripting (XSS) vulnerability identified as CVE-2020-2175. The vulnerability was discovered in December 2019 and publicly disclosed on April 7, 2020. The issue affects the Jenkins FitNesse Plugin, which fails to properly escape report contents before displaying them on the Jenkins UI (Jenkins Advisory).

The vulnerability is classified as a stored cross-site scripting (XSS) vulnerability with a CVSS severity rating of Medium. The security flaw exists because the plugin does not correctly escape report contents before displaying them on the Jenkins UI. The vulnerability is tracked as SECURITY-1801 in Jenkins security tracking system (Jenkins Advisory, NVD).

The vulnerability allows for stored cross-site scripting attacks that can be exploited by users who have the ability to control the XML input files processed by the plugin. This could potentially lead to unauthorized access to sensitive information or execution of malicious code in the context of other users' browsers (Jenkins Advisory).

The vulnerability has been fixed in FitNesse Plugin version 1.33, which properly escapes content from XML input files before rendering it on the Jenkins UI. Users are advised to upgrade to this version or later to address the security issue. All versions up to and including 1.31 are considered vulnerable (Jenkins Advisory).