Jenkins HTML Publisher Plugin prior to version 1.21 did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those. This issue has been patched in version 1.21
{ "nvd_published_at": "2019-10-01T14:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-06T20:36:28Z" }