Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-5j46-5hwq-gwh7

GitHub Security Advisory

Jenkins Cross-site Scripting vulnerability

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

`ExpandableDetailsNote` allows annotating build log content with additional information that can be revealed when interacted with.

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the `caption` constructor parameter of `ExpandableDetailsNote`.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide `caption` parameter values.

As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins.
Jenkins 2.424, LTS 2.414.2 escapes `caption` constructor parameter values.

Affected Packages

Maven org.jenkins-ci.main:jenkins-core
Affected versions: 2.50 (fixed in 2.414.2)
Maven org.jenkins-ci.main:jenkins-core
Affected versions: 2.415 (fixed in 2.424)

Related CVEs

CVE-2023-43495

Key Information

GHSA ID
GHSA-5j46-5hwq-gwh7
Published
September 20, 2023 6:30 PM
Last Modified
September 21, 2023 5:21 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.main:jenkins-core
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.