CVE-2023-35143 — Stored XSS vulnerability in Jenkins Maven Repository Server Plugin

Description

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`.

How to fix CVE-2023-35143

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-35143 being exploited?

Moderate — EPSS is 7.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, <= 1.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-35143
WEBwww.jenkins.io/security/advisory/2023-06-14/#SECURITY-3156
WEBwww.openwall.com/lists/oss-security/2023/06/14/5