A cross-site request forgery vulnerability in Jenkins iceScrum Plugin prior to version 1.1.6 allows attackers to connect to an attacker-specified URL using attacker-specified credentials. This issue is patched in version 1.1.6

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-10441
• https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484
• jenkinsci/icescrum-plugin@2e248f7