CVE-2023-25764 – org.jenkins-ci.plugins:email-ext

Package

Manager: maven
Name: org.jenkins-ci.plugins:email-ext
Vulnerable Version: >=0 <2.94

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04677 pctl0.88913

Details

Cross-site Scripting in Jenkins Email Extension Plugin Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.

Metadata

Created: 2023-02-15T15:30:41Z
Modified: 2023-02-23T21:31:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-p2fr-mq9m-6w6p/GHSA-p2fr-mq9m-6w6p.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-p2fr-mq9m-6w6p
Finding: F425
Auto approve: 1