CVE-2024-28866

Name of the Vulnerable Software and Affected Versions GoCD versions 19.4.0 through 23.5.0

Description The issue is a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a redirect to query parameter with inadequate validation. Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. However, exploiting this to perform privileged actions is likely rather difficult because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up. Additionally, GoCD server restarts invalidate earlier session tokens, so a stolen session token would be unusable once the server has completed restart.

Recommendations For GoCD versions 19.4.0 through 23.5.0, consider updating to GoCD 24.1.0 to resolve the issue. As a temporary workaround for earlier GoCD versions, start GoCD with the Java system property override as either -Dloading.page.resource.path=/loading pages/default.loading.page.html or -Dloading.page.resource.path=/does not exist.html to override the loading page with an earlier version which is not vulnerable.