Stored XSS in Jenkins HTML Publisher Plugin <1.32 via unescaped titles
CVE-2024-28150 Published on March 6, 2024
Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Vulnerability Analysis
CVE-2024-28150 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-28150 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-28150
Want to know whenever a new CVE is published for Jenkins Html Publisher? stack.watch will email you.
Affected Versions
Jenkins Project Jenkins HTML Publisher Plugin:- Before and including 1.32 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.