CVE-2023-28629

Name of the Vulnerable Software and Affected Versions GoCD versions prior to 23.1.0

Description The issue is a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker with permissions to configure pipelines could include JavaScript elements within the label template, causing the vulnerability to be triggered for users viewing the Value Stream Map or Job Details for runs of the affected pipeline. This could allow attackers to perform arbitrary actions within the victim's browser context.

Recommendations For GoCD versions prior to 23.1.0, upgrade to version 23.1.0 to resolve the issue. As a temporary workaround, consider restricting access to configure pipeline labels to minimize the risk of exploitation. Avoid using the label template in pipeline configurations until the issue is resolved.