CVE-2024-28150 – org.jenkins-ci.plugins:htmlpublisher

Package

Manager: maven
Name: org.jenkins-ci.plugins:htmlpublisher
Vulnerable Version: >=0 <1.32.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00176 pctl0.394

Details

Jenkins HTML Publisher Plugin Stored XSS vulnerability Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Metadata

Created: 2024-03-06T18:30:38Z
Modified: 2024-11-22T22:23:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-xrrw-9j78-hpf3/GHSA-xrrw-9j78-hpf3.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xrrw-9j78-hpf3
Finding: F425
Auto approve: 1