CVE-2022-30961: 
Java vulnerability analysis and mitigation

Jenkins Autocomplete Parameter Plugin version 1.1 and earlier contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2022-30961. The vulnerability was disclosed on May 17, 2022, and affects the plugin's handling of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters (Jenkins Advisory).

The vulnerability stems from the plugin's failure to properly escape the name of Dropdown Autocomplete and Auto Complete String parameters when they are displayed in views. This creates a stored XSS vulnerability that can be exploited by attackers who have Item/Configure permission. The vulnerability has been assigned a severity rating of High (Jenkins Advisory).

The vulnerability allows attackers with Item/Configure permission to execute stored cross-site scripting (XSS) attacks through the parameter names. Exploitation requires that parameters are listed on pages like 'Build With Parameters' and 'Parameters' pages, and that those pages are not hardened against such attacks (Jenkins Advisory).

As of the advisory's publication date, no fix was available for this vulnerability in the Autocomplete Parameter Plugin. The plugin version 1.1 and earlier remain vulnerable. Jenkins core itself has some built-in protections against similar vulnerabilities since version 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix (Jenkins Advisory).