{"id":"CVE-2023-25762","details":"Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.","aliases":["GHSA-9j65-3f2q-8q2r"],"modified":"2026-03-15T14:49:31.934191Z","published":"2023-02-15T14:15:13.470Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2023/02/15/4"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/pipeline-build-step-plugin","events":[{"introduced":"0"},{"last_affected":"1be2439c9fb8fc88496ae6e2db1e7b7b8c359a70"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.18"}]}}],"versions":["pipeline-build-step-2.0","pipeline-build-step-2.1","pipeline-build-step-2.10","pipeline-build-step-2.11","pipeline-build-step-2.12","pipeline-build-step-2.13","pipeline-build-step-2.14","pipeline-build-step-2.15","pipeline-build-step-2.16","pipeline-build-step-2.17","pipeline-build-step-2.18","pipeline-build-step-2.2","pipeline-build-step-2.3","pipeline-build-step-2.4","pipeline-build-step-2.5","pipeline-build-step-2.6","pipeline-build-step-2.7","pipeline-build-step-2.8","pipeline-build-step-2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25762.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}