CVE-2023-28678: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

April 2, 2023 (updated April 4, 2023)

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

References

github.com/advisories/GHSA-j927-269r-96xw
nvd.nist.gov/vuln/detail/CVE-2023-28678
www.jenkins.io/security/advisory/2023-03-21/

Detect and mitigate CVE-2023-28678 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →