First published: Wed Feb 15 2023(Updated: )
Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.jenkins-ci.plugins:email-ext | <=2.93 | 2.94 |
Jenkins Email Extension Template | <=2.93 | |
Jenkins Email Extension Template | <2.93.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-25764 is classified as a high severity vulnerability due to its potential for stored cross-site scripting (XSS) exploitation.
CVE-2023-25764 affects Jenkins Email Extension Plugin versions up to and including 2.93.
To fix CVE-2023-25764, update the Jenkins Email Extension Plugin to version 2.94 or later.
CVE-2023-25764 is a stored cross-site scripting (XSS) vulnerability.
CVE-2023-25764 can be exploited by attackers who can create or modify custom email templates.