Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-j927-269r-96xw: Jenkins Cppcheck Plugin vulnerable to stored cross-site scripting (XSS)

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

ghsa
#xss#vulnerability#git

Jenkins Cppcheck Plugin vulnerable to stored cross-site scripting (XSS)

High severity GitHub Reviewed Published Apr 2, 2023 to the GitHub Advisory Database • Updated Apr 4, 2023

Related news

CVE-2023-28672: Jenkins Security Advisory 2023-03-21

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-28669: Jenkins Security Advisory 2023-03-21

Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

CVE-2023-28668: Jenkins Security Advisory 2023-03-21

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

CVE-2023-28670: Jenkins Security Advisory 2023-03-21

Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

CVE-2023-28681: Jenkins Security Advisory 2023-03-21

Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28675: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

CVE-2023-28673: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2023-28684: Jenkins Security Advisory 2023-03-21

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28671: Jenkins Security Advisory 2023-03-21

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-28679: Jenkins Security Advisory 2023-03-21

Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.