Moderate severityNVD Advisory· Published Feb 15, 2023· Updated Mar 19, 2025

CVE-2023-25763

Description

Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Email Extension Plugin 2.93 and earlier has a stored XSS vulnerability due to insufficient escaping of fields in bundled email templates.

Vulnerability

CVE-2023-25763 is a stored cross-site scripting (XSS) vulnerability in the Jenkins Email Extension Plugin up to version 2.93. The plugin bundles multiple preconfigured templates for notification emails. These templates do not properly escape certain fields, such as build display name, user display name, and test names, before including them in the email content. This flaw allows attacker-controlled values to be interpreted as HTML or JavaScript when the email is viewed or when the Email Template Testing feature is used within Jenkins [2].

Exploitation

An attacker must be able to control one of the affected fields (e.g., by setting a malicious build display name or user display name through appropriate Jenkins permissions). The stored XSS is triggered when a user with access to the affected email templates views the template preview or receives the notification email. No authentication is required beyond the attacker's ability to manipulate the input fields [2]. The attacker does not need direct network access to the victim's browser; the malicious payload is delivered via the Jenkins server's email interface.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's Jenkins session. This can lead to session hijacking, credential theft, or further unauthorised actions within the Jenkins environment. The vulnerability is rated as High severity [2].

Mitigation

The Jenkins security advisory from February 15, 2023, announces that Email Extension Plugin version 2.93.1 fixes the issue by escaping the affected fields. Users should upgrade to version 2.93.1 or later immediately. No workarounds are provided, and the vulnerability was disclosed as part of a coordinated release [2][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:email-extMaven	< 2.94	2.94

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/email-ext
Range: < 2.94
Jenkins Project/Jenkins Email Extension Pluginv5
Range: unspecified

Patches

ebfb97475ec6

SECURITY-2931

https://github.com/jenkinsci/email-ext-pluginJulie HeardFeb 8, 2023via ghsa

commit

2 files changed · +5 −5

src/main/resources/hudson/plugins/emailext/templates/groovy-html-larry.template+1 −1 modified

@@ -46,7 +46,7 @@ img.cartoon {width: 36px; display:inline}
 						<td>${project.name}</td>
 					</tr>
 					<tr>
-						<th>Build ${build.displayName}:</th>
+						<th>Build ${hudson.Util.xmlEscape(build.displayName)}:</th>
 						<td><a
 							href="${rooturl}${build.url}">${rooturl}${build.url}</a></td>
 					</tr>

src/main/resources/hudson/plugins/emailext/templates/groovy-html.template+4 −4 modified

@@ -78,7 +78,7 @@
     </tr>
     <tr>
       <td>Cause:</td>
-      <td><% build.causes.each() { cause -> %> ${cause.shortDescription} <%  } %></td>
+      <td><% build.causes.each() { cause -> %> ${hudson.Util.xmlEscape(cause.shortDescription)} <%  } %></td>
     </tr>
   </table>
   <br/>
@@ -208,7 +208,7 @@
       junitResult -> junitResult.getChildren().each {
         packageResult -> %>
     <tr>
-      <td>${packageResult.getName()}</td>
+      <td>${hudson.Util.xmlEscape(packageResult.getName())}</td>
       <td>${packageResult.getFailCount()}</td>
       <td>${packageResult.getPassCount()}</td>
       <td>${packageResult.getSkipCount()}</td>
@@ -218,15 +218,15 @@
         test -> %>
             <tr>
               <td class="test test-fixed" colspan="5">
-                ${test.getFullName()} ${test.getStatus()}
+                ${hudson.Util.xmlEscape(test.getFullName())} ${test.getStatus()}
               </td>
             </tr>
         <% } %>
         <% packageResult.getFailedTests().sort({a,b -> a.getAge() <=> b.getAge()}).each{
           failed_test -> %>
     <tr>
       <td class="test test-failed" colspan="5">
-        ${failed_test.getFullName()} (Age: ${failed_test.getAge()})
+        ${hudson.Util.xmlEscape(failed_test.getFullName())} (Age: ${failed_test.getAge()})
       </td>
     </tr>
         <% }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h97r-fchm-m23xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-25763ghsaADVISORY
www.openwall.com/lists/oss-security/2023/02/15/4ghsamailing-listWEB
github.com/jenkinsci/email-ext-plugin/commit/ebfb97475ec6491f28b88a8b5acbb99ff36f4d7fghsaWEB
www.jenkins.io/security/advisory/2023-02-15/ghsaWEB

News mentions

Jenkins Security Advisory 2023-02-15
Jenkins Security Advisories · Feb 15, 2023

cvss	0.260
epss	0.016
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000