Cross-Site Scripting Vulnerability in Jenkins HTML Publisher Plugin by Jenkins
CVE-2019-10432

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Html Publisher Plugin
Vendor
CVE Published:
1 October 2019

Summary

The Jenkins HTML Publisher Plugin versions prior to 1.21 present a cross-site scripting vulnerability, as the plugin fails to properly escape project and build display names in the generated HTML report frame. This oversight allows an attacker to inject malicious scripts into the reports, potentially compromising other users who access these reports. Users with the ability to modify project and build names can exploit this vulnerability, emphasizing the need for immediate updates to maintain security.

Affected Version(s)

Jenkins HTML Publisher Plugin 1.20 and earlier

References

https://jenkins.io/security/advisory/2019-10-01/#SECURITY...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2019/10/01/2
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:4097
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.