CVE-2022-34185: 
Java vulnerability analysis and mitigation

Jenkins Date Parameter Plugin 0.0.4 and earlier contains a stored cross-site scripting (XSS) vulnerability (CVE-2022-34185) that was disclosed on June 22, 2022. The vulnerability affects the plugin's handling of Date parameters on views displaying parameters, where it fails to properly escape the name and description fields. This security issue is exploitable by attackers who have Item/Configure permission on the Jenkins instance (Jenkins Advisory).

The vulnerability stems from improper escaping of the name and description of Date parameters when they are displayed in views. This creates a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Item/Configure permissions. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with Item/Configure permission to inject malicious HTML and JavaScript code into the Jenkins UI through the Date parameter name and description fields. The impact is somewhat limited as exploitation requires that parameters are listed on pages like 'Build With Parameters' and 'Parameters', and that those pages are not hardened against such attacks (Jenkins Advisory).

As of the advisory's publication date, there was no fix available for the Date Parameter Plugin version 0.0.4 and earlier. Users are advised to assess their risk and consider removing or disabling the plugin until a security fix becomes available (Jenkins Advisory).