Reflected XSS in GoCD

GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

GoCD 跨站脚本漏洞

GoCD是一个持续交付服务器。 GoCD 20.2.0版本至21.4.0版本存在跨站脚本漏洞，该漏洞源于通过滥用函数将任意 HTML 呈现到返回的页面中，容易受到反射的跨站点脚本的攻击。攻击者利用该漏洞诱骗受害者执行代码，从而操作或控制受害者有权访问的相同资源。

N/A

N/A