Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cnJ3LTlqNzgtaHBmM84AA5zs
Jenkins HTML Publisher Plugin Stored XSS vulnerability
Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Permalink: https://github.com/advisories/GHSA-xrrw-9j78-hpf3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cnJ3LTlqNzgtaHBmM84AA5zs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: about 2 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-xrrw-9j78-hpf3, CVE-2024-28150
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-28150
- https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3302
- https://github.com/jenkinsci/htmlpublisher-plugin/commit/c0eed940e65ea90f9b5ba21aa3d953546d5cd8ad
- https://github.com/advisories/GHSA-xrrw-9j78-hpf3
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:htmlpublisher
Affected Version Ranges: < 1.32.1Fixed in: 1.32.1