PT-2023-21898 · Jenkins · Jenkins Mashup Portlets Plugin+1
Daniel Beck
·
Published
2023-03-23
·
Updated
2023-04-08
·
CVE-2023-28679
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Mashup Portlets Plugin versions 1.1.2 and earlier
Description
The issue is related to the "Generic JS Portlet" feature, which allows users to populate a portlet using a custom JavaScript expression. This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by authenticated attackers with Overall/Read permission.
Recommendations
For Jenkins Mashup Portlets Plugin versions 1.1.2 and earlier, consider disabling the "Generic JS Portlet" feature until a patch is available to prevent exploitation of the stored cross-site scripting vulnerability.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Mashup Portlets Plugin