Moderate severityNVD Advisory· Published Oct 1, 2019· Updated Aug 4, 2024

CVE-2019-10432

Description

Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins HTML Publisher Plugin 1.20 and earlier had a stored XSS vulnerability due to unescaped project/build display names, allowing attackers with Job/Configure or Build/Update permissions to inject arbitrary HTML/JavaScript.

Vulnerability

Overview

The Jenkins HTML Publisher Plugin, in versions 1.20 and earlier, fails to escape project and build display names when rendering them in the HTML report frame [1]. This omission allows an attacker to inject arbitrary HTML or JavaScript into the frame, leading to a stored cross-site scripting (XSS) vulnerability [2].

Exploitation

Details

To exploit this vulnerability, an attacker must have the ability to change the project display name (typically users with Job/Configure permission) or the build display name (users with Build/Update permission) [2][3]. The injected payload is then executed when any user views the HTML report, making it a stored XSS attack. No other special network position is required, as the attack is carried out through normal Jenkins interactions.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session within Jenkins. This can lead to session hijacking, credential theft, or other malicious actions performed on behalf of the victim [2]. The vulnerability is rated as Medium severity (CVSS 4.0 not yet assessed, but CVSS 3.0 would be Medium) [1].

Mitigation

The Jenkins security advisory [2] and the plugin maintainers [3] recommend upgrading to HTML Publisher Plugin version 1.21 or later, which escapes the display names properly. Users unable to upgrade should ensure that only trusted users have Job/Configure or Build/Update permissions.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:htmlpublisherMaven	< 1.21	1.21

Affected products

Jenkins Project/HTML Publisher Pluginllm-fuzzy
Range: <=1.20
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/htmlpublisher
Range: < 1.21
Jenkins Project/S3 publisher Plugincpe-rescue
Range: 1.20 and earlier

Patches

637aad0308f8

[SECURITY-1590]

https://github.com/jenkinsci/htmlpublisher-pluginRichard BywaterSep 26, 2019via ghsa

commit

2 files changed · +8 −2

pom.xml+5 −0 modified

@@ -89,6 +89,11 @@
           <artifactId>workflow-step-api</artifactId>
           <version>${workflow.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.encoder</groupId>
+            <artifactId>encoder</artifactId>
+            <version>1.2.2</version>
+        </dependency>
         <dependency> <!-- Test framework -->
           <groupId>org.jenkins-ci.plugins.workflow</groupId>
           <artifactId>workflow-step-api</artifactId>

src/main/java/htmlpublisher/HtmlPublisherTarget.java+3 −2 modified

@@ -17,6 +17,7 @@
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.owasp.encoder.Encode;
 
 import com.google.common.base.Charsets;
 import com.infradna.tool.bridge_method_injector.WithBridgeMethods;
@@ -253,7 +254,7 @@ public String getIconFileName() {
         }
 
         public String getBackToName() {
-            return project.getDisplayName();
+            return Encode.forHtml(project.getDisplayName());
         }
 
         public String getBackToUrl() {
@@ -416,7 +417,7 @@ protected String getTitle() {
 
         @Override
         public String getBackToName() {
-            return build.getDisplayName();
+            return Encode.forHtml(build.getDisplayName());
         }
 
         @Override

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2019:4055ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:4089ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:4097ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-q829-hrmc-84c8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10432ghsaADVISORY
www.openwall.com/lists/oss-security/2019/10/01/2ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/htmlpublisher-plugin/commit/637aad0308f8cdfb24610041fcfe815d5a1a096bghsaWEB
github.com/jenkinsci/htmlpublisher-plugin/releases/tag/htmlpublisher-1.21ghsaWEB
jenkins.io/security/advisory/2019-10-01/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000