CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28671
https://notcve.org/view.php?id=CVE-2023-28671
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(1) • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28670
https://notcve.org/view.php?id=CVE-2023-28670
Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission. • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2885 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28669
https://notcve.org/view.php?id=CVE-2023-28669
Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3061 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28668
https://notcve.org/view.php?id=CVE-2023-28668
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled. • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3053 • CWE-281: Improper Preservation of Permissions •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28685
https://notcve.org/view.php?id=CVE-2023-28685
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2930 • CWE-611: Improper Restriction of XML External Entity Reference •