Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission. Version 1.14 obtains the current URL in a way not susceptible to XSS.

Affected Packages

Maven com.paul8620.jenkins.plugins:pipeline-aggregator-view

Affected versions: 0 (fixed in 1.14)

Related CVEs

CVE-2023-28670

Key Information

GHSA ID

GHSA-v27q-87jf-j9cr

Published

April 2, 2023 9:30 PM

Last Modified

April 7, 2023 11:03 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.paul8620.jenkins.plugins:pipeline-aggregator-view

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.