{"id":"CVE-2023-28679","details":"Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the \"Generic JS Portlet\" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.","aliases":["GHSA-h9h3-jx58-6hqq"],"modified":"2026-04-11T16:35:05.295522Z","published":"2023-04-02T21:15:09.240Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2813"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/mashup-portlets-plugin","events":[{"introduced":"0"},{"last_affected":"0a8615d0507879da7202babd116b20afd6a1d6f2"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.1.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:jenkins:mashup_portlets:*:*:*:*:*:jenkins:*:*"}}],"versions":["mashup-portlets-plugin-0.9","mashup-portlets-plugin-0.9.1","mashup-portlets-plugin-0.9.2","mashup-portlets-plugin-0.9.3","mashup-portlets-plugin-1.0.0","mashup-portlets-plugin-1.0.1","mashup-portlets-plugin-1.0.2","mashup-portlets-plugin-1.0.3","mashup-portlets-plugin-1.0.5","mashup-portlets-plugin-1.0.6","mashup-portlets-plugin-1.0.8","mashup-portlets-plugin-1.0.9","mashup-portlets-plugin-1.1.0","mashup-portlets-plugin-1.1.1","mashup-portlets-plugin-1.1.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28679.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}