CVE-2023-28629

Stored XSS possible on VSM and Job Details pages via malicious pipeline label configuration in gocd

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

*Credits: N/A

CVSS Scores

NISTv3.1 5.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-20 CVE Reserved
2023-03-27 CVE Published
2024-08-02 CVE Updated
2024-10-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (6)

URL	Tag	Source
https://docs.gocd.org/current/configuration/pipeline_labeling.html	Product
https://github.com/gocd/gocd/releases/tag/23.1.0	Release Notes
https://www.gocd.org/releases/#23-1-0	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193	2023-04-03
https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce	2023-04-03
https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm	2023-04-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Thoughtworks Search vendor "Thoughtworks"		Gocd Search vendor "Thoughtworks" for product "Gocd"				< 23.1.0 Search vendor "Thoughtworks" for product "Gocd" and version " < 23.1.0"		-		Affected