CVE-2024-28149 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-28149

CVE-2024-28149

March 06, 2024

Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.

Affected Packages

org.jenkins-ci.plugins:htmlpublisher (JAVA):

Affected version(s)

Fix Suggestion:

Update to version 1.32.1

Related Resources (5)

https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3301

https://github.com/jenkinsci/htmlpublisher-plugin

https://nvd.nist.gov/vuln/detail/CVE-2024-28149

http://www.openwall.com/lists/oss-security/2024/03/06/3

https://github.com/jenkinsci/htmlpublisher-plugin/commit/8bf2e2297a86ad50f7567fb953b2f8ec18b2891b

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

LOW

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.13

Products

Solutions

Resources

Company

Compare

Developer Tools