Stored Cross-Site Scripting Vulnerability in Jenkins Email Extension Plugin
CVE-2023-25764

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Email Extension Plugin
Vendor: CVE Published:; 15 February 2023

Summary

The Jenkins Email Extension Plugin, up to version 2.93, suffers from a stored cross-site scripting vulnerability due to inadequate escaping and sanitization of output generated from email templates. Attackers can exploit this flaw by creating or modifying custom email templates, which may allow them to inject malicious scripts. These scripts could potentially execute in the context of any user viewing the rendered email or logs, posing significant security risks. It's essential for users of this plugin to ensure they are using patched versions to mitigate this vulnerability.

Affected Version(s)

Jenkins Email Extension Plugin 0 <= 2.93

Jenkins Email Extension Plugin 2.89.0.1

References

https://www.jenkins.io/security/advisory/2023-02-15/#SECU...

http://www.openwall.com/lists/oss-security/2023/02/15/4

mailing-list

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 15, 2023
Vulnerability Reserved
Feb 14, 2023