QwikSec

Security Database

CVE

CWE

Training

CVE-2023-28629

Published: Mar 27, 2023

Modified: Feb 19, 2025

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
gocd	gocd	affected `< 23.1.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm

x_refsource_CONFIRM

https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193

x_refsource_MISC

https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce

x_refsource_MISC

https://docs.gocd.org/current/configuration/pipeline_labeling.html

x_refsource_MISC

https://github.com/gocd/gocd/releases/tag/23.1.0

x_refsource_MISC

https://www.gocd.org/releases/#23-1-0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.