CVE-2023-28670: 
Java vulnerability analysis and mitigation

Pipeline Aggregator View Plugin version 1.13 and earlier contains a stored cross-site scripting (XSS) vulnerability (CVE-2023-28670). The vulnerability was discovered in March 2023 and affects the plugin's handling of the current view's URL in inline JavaScript. This security issue impacts Jenkins installations using the affected versions of the Pipeline Aggregator View Plugin (Jenkins Advisory).

The vulnerability stems from the plugin's failure to properly escape a variable that represents the current view's URL when used in inline JavaScript. The severity is rated as High with a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

This vulnerability allows authenticated attackers with Overall/Read permission to execute arbitrary JavaScript code through stored XSS attacks. The successful exploitation could lead to unauthorized access to sensitive information, session hijacking, or other malicious actions within the context of the Jenkins application (Jenkins Advisory).

The vulnerability has been fixed in Pipeline Aggregator View Plugin version 1.14, which obtains the current URL in a way that is not susceptible to XSS. Users are advised to upgrade to this version to address the security issue (Jenkins Advisory).