CVERadar

CVE-2024-28866

Medium Severity

SVRS

30/100

CVSSv3

NA/10

EPSS

0.00214/1

CVE-2024-28866 is a reflected cross-site scripting (XSS) vulnerability in GoCD, a continuous delivery server. This vulnerability affects GoCD versions 19.4.0 through 23.5.0 due to inadequate validation of the redirect_to query parameter on the loading page. Although the CVSS score is 0, indicating low severity according to that metric, the SOCRadar Vulnerability Risk Score (SVRS) of 30 suggests some level of risk. Attackers could potentially steal session tokens by exploiting this XSS vulnerability, but successful exploitation requires specific timing during server startup, making it difficult to perform privileged actions. The risk is somewhat mitigated by GoCD server restarts invalidating session tokens. Users are advised to upgrade to GoCD 24.1.0 to remediate this security flaw, or use the workaround provided.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-28866 | GoCD up to 24.0.x redirect_to cross site scripting

vuldb.com2025-03-30

CVE-2024-28866 | GoCD up to 24.0.x redirect_to cross site scripting | A vulnerability, which was classified as problematic, was found in GoCD up to 24.0.x. Affected is an unknown function. The manipulation of the argument redirect_to leads to cross site scripting. This vulnerability is traded as CVE-2024-28866. It is possible to launch the attack remotely. There is no

vuldb.com

rss

forum

news

Vulnerability Summary for the Week of May 13, 2024

CISA2024-05-20

; The Themify Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themify_button shortcode in all versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 <a href="https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2024-4567&vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" target="_blank" title

cve-2023-52695

cve-2024-4231

cve-2024-4968

cve-2024-4666

Social Media

CVE

@CVEnew

2024-05-13

CVE-2024-28866 GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on … https://t.co/5NHKDEDUBE

Affected Software

No affected software found for this CVE

References

Reference	Link
[email protected]	https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402
[email protected]	https://github.com/gocd/gocd/releases/tag/24.1.0
[email protected]	https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh
[email protected]	https://www.gocd.org/releases/#24-1-0

CWE Details

CWE ID	CWE Name	Description
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence