HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. HTML Publisher Plugin 1.32.1 escapes job names, report names, and index page titles when creating a new report. HTML Publisher Plugin 1.32.1 checks reports created in earlier releases for the presence of unsafe characters in the report frame, and refuses to show these frames if unsafe characters are identified. References: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3302