Stored Cross-Site Scripting Vulnerability in Jenkins Email Extension Plugin
CVE-2023-25764

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Email Extension Plugin
Vendor: CVE Published:; 15 February 2023

What is CVE-2023-25764?

The Jenkins Email Extension Plugin, up to version 2.93, suffers from a stored cross-site scripting vulnerability due to inadequate escaping and sanitization of output generated from email templates. Attackers can exploit this flaw by creating or modifying custom email templates, which may allow them to inject malicious scripts. These scripts could potentially execute in the context of any user viewing the rendered email or logs, posing significant security risks. It's essential for users of this plugin to ensure they are using patched versions to mitigate this vulnerability.

Affected Version(s)

Jenkins Email Extension Plugin 0 <= 2.93

Jenkins Email Extension Plugin 2.89.0.1

References

https://www.jenkins.io/security/advisory/2023-02-15/#SECU...

http://www.openwall.com/lists/oss-security/2023/02/15/4

mailing-list

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 15, 2023
Vulnerability Reserved
Feb 14, 2023

JSON