{"id":"CVE-2024-28149","details":"Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.","aliases":["GHSA-8vcg-v7g4-3vr7"],"modified":"2026-05-09T02:03:04.557570Z","published":"2024-03-06T17:15:10.450Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3301"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2024/03/06/3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/htmlpublisher-plugin","events":[{"introduced":"ba962efdc25b6358ffafb47c056be9b0a1a9b318"},{"fixed":"810e7cb7600cc1142abdbe83a477c10f45a65882"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"1.16"},{"fixed":"1.32.1"}],"cpe":"cpe:2.3:a:jenkins:html_publisher:*:*:*:*:*:jenkins:*:*"}}],"versions":["htmlpublisher-1.16","htmlpublisher-1.17","htmlpublisher-1.18","htmlpublisher-1.19","htmlpublisher-1.20","htmlpublisher-1.21","htmlpublisher-1.22","htmlpublisher-1.22-beta-1","htmlpublisher-1.23","htmlpublisher-1.24","htmlpublisher-1.25","htmlpublisher-1.26","htmlpublisher-1.27","htmlpublisher-1.28","htmlpublisher-1.29","htmlpublisher-1.30","htmlpublisher-1.31","htmlpublisher-1.32"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28149.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}]}