CVE-2023-28678: Jenkins Cppcheck Plugin vulnerable to stored cross-site scripting (XSS)

April 2, 2023 (updated February 25, 2025)

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

References

github.com/advisories/GHSA-j927-269r-96xw
github.com/jenkinsci/cppcheck-plugin
nvd.nist.gov/vuln/detail/CVE-2023-28678
www.jenkins.io/security/advisory/2023-03-21/

Code Behaviors & Features

Detect and mitigate CVE-2023-28678 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →