CVE-2023-28629: 
GoCD Server vulnerability analysis and mitigation

GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. The vulnerability was discovered in March 2023 and fixed in GoCD version 23.1.0 (GitHub Advisory).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79). It has a CVSS v3.1 score of 5.4 (Moderate), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists in the pipeline label configuration functionality where unescaped user input could be rendered in the Value Stream Map and Job Details pages (GitHub Advisory).

An attacker with permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing an XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline. This could potentially allow them to perform arbitrary actions within the victim's browser context rather than their own (GitHub Advisory).

The vulnerability has been fixed in GoCD version 23.1.0. There are no known workarounds for this vulnerability. Users are advised to upgrade to version 23.1.0 or later (GitHub Advisory).