CVE-2024-28150

low-risk

Published 2024-03-06

Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Do I need to act?

0.18% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.7/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Html Publisher

Affected Vendors

Jenkins

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2024/03/06/3

Vendor Advisory https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3302

Mailing List http://www.openwall.com/lists/oss-security/2024/03/06/3

Vendor Advisory https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3302

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal