Stored Cross-Site Scripting Vulnerability in Jenkins Mashup Portlets Plugin
CVE-2023-28679

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Mashup Portlets Plugin
Vendor: CVE Published:; 2 April 2023

What is CVE-2023-28679?

The Jenkins Mashup Portlets Plugin allows authenticated users with Overall/Read permission to inject malicious JavaScript through the 'Generic JS Portlet' feature. This results in a stored cross-site scripting vulnerability, enabling attackers to execute arbitrary scripts in the context of other users, which could lead to data theft or unauthorized actions in the application.

Affected Version(s)

Jenkins Mashup Portlets Plugin 0 <= 1.1.2

References

https://www.jenkins.io/security/advisory/2023-03-21/#SECU...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2023
Vulnerability Reserved
Mar 20, 2023