Vulnerability Description
Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Email Extension | < 2.93.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/02/15/4Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2934Vendor Advisory
- http://www.openwall.com/lists/oss-security/2023/02/15/4Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2934Vendor Advisory
FAQ
What is CVE-2023-25764?
CVE-2023-25764 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site...
How severe is CVE-2023-25764?
CVE-2023-25764 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25764?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Email Extension.