CVE-2023-33002

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

7.0%

top 8.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Testcomplete Support Plugin Jenkins Testcomplete Support

Timeline

PublishedMay 16

Description

Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_testcomplete_support_plugin2.8.1

▶NVDjenkins/testcomplete_support2.8.1

▶Mavenorg.jenkins-ci.plugins:TestComplete2.8.1

🔴Vulnerability Details

GHSA

TestComplete support Plugin vulnerable to stored Cross-site Scripting↗2023-05-16

▶

OSV

TestComplete support Plugin vulnerable to stored Cross-site Scripting↗2023-05-16

▶

CVEList

CVE-2023-33002: Jenkins TestComplete support Plugin 2↗2023-05-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-05-16↗2023-05-16

▶