CVE-2023-25764

CWE-79Cross-site Scripting (XSS)5 documents5 sources
Severity
5.4MEDIUM
EPSS
11.7%
top 6.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Email ExtensionJenkins Project Jenkins Email Extension Plugin
Timeline
PublishedFeb 15

Description

Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

🔴Vulnerability Details

3
GHSA
Cross-site Scripting in Jenkins Email Extension Plugin2023-02-15
OSV
Cross-site Scripting in Jenkins Email Extension Plugin2023-02-15
CVEList
CVE-2023-25764: Jenkins Email Extension Plugin 22023-02-15

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2023-02-152023-02-15
CVE-2023-25764 (MEDIUM CVSS 5.4) | Jenkins Email Extension Plugin 2.93 | cvebase.io