Description
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
Remediation
References
https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590
http://www.openwall.com/lists/oss-security/2019/10/01/2
https://access.redhat.com/errata/RHSA-2019:4097
https://access.redhat.com/errata/RHSA-2019:4055
https://access.redhat.com/errata/RHSA-2019:4089
Related Vulnerabilities
CVE-2022-36883 Vulnerability in maven package org.jenkins-ci.plugins:git
CVE-2022-31777 Vulnerability in maven package org.apache.spark:spark-core_2.12
CVE-2018-1000863 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-41080 Vulnerability in maven package org.apache.tomcat:tomcat
CVE-2011-0013 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core