P4 Plugin 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger build or add labels in the Perforce repository.
Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
P4 Plugin 1.10.10 and earlier
Published Date: 03/06/2020