CVE-2024-28150

Name of the Vulnerable Software and Affected Versions Jenkins HTML Publisher Plugin versions 1.32 and earlier

Description The issue exists due to the lack of protection for the web page structure. This can be exploited by a remote attacker to conduct cross-site scripting attacks. The vulnerability is a stored cross-site scripting (XSS) issue, which can be exploited by attackers with Item/Configure permission. The job names, report names, and index page titles are not escaped, leading to this vulnerability.

Recommendations For Jenkins HTML Publisher Plugin versions 1.32 and earlier, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the report frame and ensuring that only trusted users have Item/Configure permission.