CVE-2023-33002: 
Java vulnerability analysis and mitigation

Jenkins TestComplete support Plugin 2.8.1 and earlier contains a stored cross-site scripting (XSS) vulnerability (CVE-2023-33002) that was disclosed on May 16, 2023. The vulnerability affects the plugin's test result page where the TestComplete project name is not properly escaped, making it exploitable by attackers who have Item/Configure permission (Jenkins Advisory, NVD).

The vulnerability is classified as a stored XSS vulnerability with a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The core issue lies in the plugin's failure to properly escape the TestComplete project name when it is displayed on the test result page (NVD).

This vulnerability allows attackers with Item/Configure permission to execute arbitrary JavaScript code in the context of other users' browsers when they view the affected test result pages. This could potentially lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser session (Jenkins Advisory).

As of the advisory's publication date, there was no fix available for this vulnerability. Users of the TestComplete support Plugin version 2.8.1 and earlier should carefully consider who has Item/Configure permissions and monitor for potential abuse (Jenkins Advisory).