CVE-2023-43495: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

September 20, 2023 (updated September 23, 2023)

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the ‘caption’ constructor parameter of ‘ExpandableDetailsNote’, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.

References

www.openwall.com/lists/oss-security/2023/09/20/5
nvd.nist.gov/vuln/detail/CVE-2023-43495
www.jenkins.io/security/advisory/2023-09-20/

Code Behaviors & Features

Detect and mitigate CVE-2023-43495 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →