The vulnerability stemmed from HTTP endpoints handling SCM operations without: 1) POST method enforcement (allowing CSRF), and 2) Job/Create permission checks. The commit diff shows critical additions of checkPermission() calls and HTTP method validation in multiple SCM implementations. Functions like getState() and getOrganizations() in Bitbucket/GitHub SCM classes were modified to add these security checks, indicating they were previously vulnerable. The Scm.validateAndCreate endpoint's method change from PUT to POST in the annotation further confirms this pattern. Test cases added in *SecurityTest.java files validate that these endpoints now require proper permissions and POST requests.