CVE-2024-28150 — Jenkins HTML Publisher Plugin Stored XSS vulnerability

Description

Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

How to fix CVE-2024-28150

To remediate CVE-2024-28150, upgrade the affected package to a fixed version below.

—upgrade to 1.32.1 or later

Is CVE-2024-28150 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.32.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28150
PATCHgithub.com/jenkinsci/htmlpublisher-plugin
WEBgithub.com/jenkinsci/htmlpublisher-plugin/commit/c0eed940e65ea90f9b5ba21aa3d953546d5cd8ad
WEBwww.jenkins.io/security/advisory/2024-03-06/#SECURITY-3302