Jenkins HTML Publisher Plugin 1.20 Cross-site Scripting Vulnerability

Summary

Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.

Credit:

The information has been provided by Vendor

The original article can be found at:

https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590

 


Details

HTML Publisher Plugin did not escape the project or build a display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission.

HTML Publisher Plugin now escapes the display name displayed in the frame HTML page

Vulnerable Systems:

Jenkins HTML Publisher Plugin 1.20 and earlier

CVE Information:

CVE-2019-10432

Disclosure Timeline:
Published Date:10/09/2019