Published: 27/03/2023 Updated: 03/04/2023

CVSS v3 Base Score: 5.4 | Impact Score: 2.7 | Exploitability Score: 2.3

VMScore: 0

GoCD is an open source continuous delivery server. GoCD versions prior to 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
thoughtworks gocd

CWE-79 https://docs.gocd.org/current/configuration/pipeline_labeling.html https://www.gocd.org/releases/#23-1-0 https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193 https://github.com/gocd/gocd/releases/tag/23.1.0 https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-28629

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect