CVE-2023-28678

Name of the Vulnerable Software and Affected Versions Jenkins Cppcheck Plugin versions 1.26 and earlier

Description The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the plugin does not escape file names from Cppcheck report files before showing them on the Jenkins UI. Attackers who can control report file contents can exploit this issue.

Recommendations For Jenkins Cppcheck Plugin versions 1.26 and earlier, update to a version later than 1.26 to resolve the issue. As a temporary workaround, consider restricting access to the Jenkins UI to minimize the risk of exploitation.