CVE-2023-46650
published 2023-10-25CVE-2023-46650: Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site…
medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | cloudbees_cd_plugin | — | — |
| jenkins | edgewall_trac_plugin | — | — |
| jenkins | github | <= 1.37.3 | — |
| jenkins | github_plugin | — | — |
| jenkins | gogs_plugin | — | — |
| jenkins | msteams_webhook_trigger_plugin | — | — |
| jenkins | multibranch_scan_webhook_trigger_plugin | — | — |
| jenkins | non-constant_time_webhook_token_comparison_in_gogs_plugin | — | — |
| jenkins | warnings_plugin | — | — |
| jenkins | zanata_plugin | — | — |
| jenkins_project | jenkins_github_plugin | <= 1.37.3 | — |