CVE-2023-46659: 
Java vulnerability analysis and mitigation

Jenkins Edgewall Trac Plugin version 1.13 and earlier contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2023-46659. The vulnerability was discovered and disclosed on October 25, 2023, affecting the plugin's build page functionality. The issue impacts all versions of the Edgewall Trac Plugin up to and including version 1.13 (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's failure to properly escape the Trac website URL on the build page. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires an attacker to have Item/Configure permission to be exploitable (NVD, Jenkins Advisory).

When successfully exploited, this vulnerability allows attackers with Item/Configure permission to execute stored cross-site scripting (XSS) attacks through the unescaped Trac website URL on the build page. This could potentially lead to the execution of arbitrary web scripts in the context of other users' browsers who view the affected build page (Jenkins Advisory).

As of the advisory's publication date, there is no fix available for this vulnerability. Users of the Edgewall Trac Plugin should monitor for updates and consider implementing additional access controls to restrict Item/Configure permissions (Jenkins Advisory).

The vulnerability was discovered and reported by Yaroslav Afenkin from CloudBees, Inc. The Jenkins project has classified this as a high-severity issue in their security advisory (Jenkins Advisory).