Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability.

Affected Packages

Maven org.jenkins-ci.plugins:dependency-check-jenkins-plugin

Affected versions: 0 (fixed in 5.4.6)

Related CVEs

CVE-2024-28153

Key Information

GHSA ID

GHSA-9pp4-mx6x-xh36

Published

March 6, 2024 6:30 PM

Last Modified

January 21, 2025 6:27 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:dependency-check-jenkins-plugin

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.