{"id":"CVE-2019-10432","details":"Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.","aliases":["GHSA-q829-hrmc-84c8"],"modified":"2026-05-18T14:45:33.966448Z","published":"2019-10-01T14:15:23.817Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/10/01/2"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4055"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4089"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4097"},{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/htmlpublisher-plugin","events":[{"introduced":"0"},{"last_affected":"2ab8df462f9049b9a49f41e42ef972c2c306ad8a"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.20"}],"cpe":"cpe:2.3:a:jenkins:html_publisher:*:*:*:*:*:jenkins:*:*","source":"CPE_FIELD"}}],"versions":["htmlpublisher-1.20","htmlpublisher-1.19","htmlpublisher-1.18","htmlpublisher-1.17","htmlpublisher-1.16","htmlpublisher-1.15","htmlpublisher-1.14","htmlpublisher-1.13","htmlpublisher-1.12","htmlpublisher-1.11","htmlpublisher-1.10","htmlpublisher-1.9","htmlpublisher-1.8","htmlpublisher-1.7","htmlpublisher-1.6","htmlpublisher-1.5","htmlpublisher-1.4","htmlpublisher-1.3","htmlpublisher-1.2","htmlpublisher-1.1","htmlpublisher-1.0","htmlpublisher-0.8","htmlpublisher-0.7","htmlpublisher-0.6","htmlpublisher-0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10432.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}