PT-2023-20285 · Jenkins · Jenkins Junit Plugin+1

Kevin Guerroudj

Published

2023-02-15

Updated

2025-03-19

CVE-2023-25761

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins JUnit Plugin versions 1166.va 436e268e972 and earlier

Description The issue results from the plugin not escaping test case class names in JavaScript expressions, leading to a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited by attackers who can control test case class names in the JUnit resources processed by the plugin.

Recommendations For Jenkins JUnit Plugin versions 1166.va 436e268e972 and earlier, update to a version that escapes test case class names in JavaScript expressions to prevent stored cross-site scripting (XSS) attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-25761

GHSA-PH74-8RGX-64C5

RHSA-2023:1866

RHSA-2023:3195

RHSA-2023:3198

RHSA-2023:3299

RHSA-2023:6171

RHSA-2023:6172

RHSA-2023:6179

RHSA-2023:7288

RHSA-2024:0775

RHSA-2024:0776

RHSA-2024:0777

RHSA-2024:0778

Affected Products

Jenkins

Jenkins Junit Plugin

PT-2023-20285 · Jenkins · Jenkins Junit Plugin+1

CVE-2023-25761

Weakness Enumeration

Related Identifiers

Affected Products

References · 9