CVE-2024-28150: Jenkins HTML Publisher Plugin Stored XSS vulnerability

March 6, 2024 (updated November 22, 2024)

Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

References

github.com/advisories/GHSA-xrrw-9j78-hpf3
github.com/jenkinsci/htmlpublisher-plugin
github.com/jenkinsci/htmlpublisher-plugin/commit/c0eed940e65ea90f9b5ba21aa3d953546d5cd8ad
nvd.nist.gov/vuln/detail/CVE-2024-28150
www.jenkins.io/security/advisory/2024-03-06/

Detect and mitigate CVE-2024-28150 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →