CVE-2023-25764 — Cross-site Scripting in Jenkins Email Extension Plugin

Description

Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.

How to fix CVE-2023-25764

To remediate CVE-2023-25764, upgrade the affected package to a fixed version below.

—upgrade to 2.94 or later

Is CVE-2023-25764 being exploited?

Moderate — EPSS is 20.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.94

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-25764
PATCHgithub.com/jenkinsci/email-ext-plugin
WEBgithub.com/jenkinsci/email-ext-plugin/commit/7b2bd251aa0193d009d85b713362d965dab262d0
WEBwww.jenkins.io/security/advisory/2023-02-15/#SECURITY-2934