CVE-2023-46650

CWE-79Cross-site Scripting (XSS)5 documents5 sources
Severity
5.4MEDIUM
EPSS
4.3%
top 11.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Github PluginJenkins Github
Timeline
PublishedOct 25

Description

Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

NVDjenkins/github1.37.3

🔴Vulnerability Details

3
CVEList
CVE-2023-46650: Jenkins GitHub Plugin 12023-10-25
GHSA
Stored XSS vulnerability in Jenkins GitHub Plugin2023-10-25
OSV
Stored XSS vulnerability in Jenkins GitHub Plugin2023-10-25

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2023-10-252023-10-25
CVE-2023-46650 (MEDIUM CVSS 5.4) | Jenkins GitHub Plugin 1.37.3 and ea | cvebase.io