skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
June 16, 2023

GHSL-2023-115: Cross-Site Scripting (XSS) in template-workflows-plugin - CVE-2023-35146

Alvaro Munoz

Coordinated Disclosure Timeline


A stored Cross-Site Scripting (XSS) vulnerability was found in the template-workflows-plugin project.


Template Workflows plugin

Tested Version



Stored Cross-Site Scripting (GHSL-2023-115)

The TemplatesWorkflowJob#refresh method crafts an HTML response using user-controlled data such as the job’s name:

build.append("<tr><td></td><td><div id =\"").append(j.getName()).append(".validation\" style=\"visibility: hidden;\"></div></td></tr>");

The response from the AJAX handler is then processed by the following function, which inserts it into the DOM as HTML using innerHTML:

    function refresh() {
    	var foo = <st:bind value="${it}"/>
    	foo.refresh(document.getElementById('template.templateName').value, function(t) {
    		document.getElementById('loading').style.visibility = 'hidden';
      		document.getElementById('msg').innerHTML = t.responseObject().msg;

Proof of Concept

As a user with Job create/configure permissions do the following:

  1. Create new Template Workflow Job called foo
  2. Create new Job named "onfocus="alert(document.domain)"autofocus="
  3. Mark Mark as a Building Block in a Template Workflow and assign it a name
  4. Send the following link to the victim http://localhost:8080/jenkins/job/foo/configure


This issue may lead to Cross-Site Scripting and, if targeted to an administrator, it can be leveraged to achieve Remote Code Execution (RCE).




This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2023-115 in any communication regarding this issue.