Description
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/10/01/2
https://access.redhat.com/errata/RHSA-2019:4055
https://access.redhat.com/errata/RHSA-2019:4089
https://access.redhat.com/errata/RHSA-2019:4097
https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590
Related Vulnerabilities
CVE-2022-45143 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2018-11778 Vulnerability in maven package org.apache.ranger:ranger
CVE-2017-7663 Vulnerability in maven package org.apache.openmeetings:openmeetings-core
CVE-2022-21700 Vulnerability in maven package io.micronaut:micronaut-http
CVE-2023-37961 Vulnerability in maven package org.jenkins-ci.plugins:assembla-auth