Jenkins HTML Publisher Plugin does not properly sanitize input
High severity
GitHub Reviewed
Published
Mar 6, 2024
to the GitHub Advisory Database
•
Updated Dec 6, 2024
Package
Affected versions
>= 1.16, < 1.32.1
Patched versions
1.32.1
Description
Published by the National Vulnerability Database
Mar 6, 2024
Published to the GitHub Advisory Database
Mar 6, 2024
Reviewed
Mar 6, 2024
Last updated
Dec 6, 2024
Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.
References