Moderate severityNVD Advisory· Published Feb 15, 2023· Updated Mar 19, 2025

CVE-2023-25764

Description

Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Email Extension Plugin ≤2.93 suffers from stored XSS because it fails to escape rendered email template output or log output, allowing attackers who can create/change templates to inject malicious scripts.

Vulnerability

Description

Jenkins Email Extension Plugin versions 2.93 and earlier contain a stored cross-site scripting (XSS) vulnerability. The root cause is that the plugin does not escape, sanitize, or sandbox the output of rendered email templates or the log output generated during template rendering [1][2][3]. This means any fields included in email templates — such as build display name, user display name, or test names — are injected directly into the rendered HTML content without proper encoding.

Attack

Vector & Prerequisites

An attacker must have the ability to create or modify custom email templates within Jenkins [2][3]. This typically requires Overall/Administer permission or the specific permission to configure email templates (e.g., Manage Email Templates). Once a malicious template is deployed, the XSS payload will be executed in the context of any user who views the rendered template output, such as through the “Email Template Testing” feature, or when the plugin logs template rendering output [2]. The vulnerability is classified as stored XSS because the malicious content persists in the template configuration and is served to subsequent viewers.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any victim who accesses the affected email template output (e.g., viewing a build’s email preview or logs) [2][3]. This can lead to session hijacking, credential theft, or performing actions on behalf of the victim within Jenkins. The vulnerability has been assigned a CVSS score of High (though specific vector not provided in the references) [2][4].

Mitigation

The vulnerability is fixed in Email Extension Plugin version 2.93.1 [2][4]. Users should upgrade immediately; no workarounds are mentioned in the official advisory. Those unable to upgrade should restrict the ability to create or modify custom email templates to only trusted administrators, and avoid using the Email Template Testing feature [2].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:email-extMaven	< 2.94	2.94

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/email-ext
Range: < 2.94
Jenkins Project/Jenkins Email Extension Pluginv5
Range: 0

Patches

7b2bd251aa01

SECURITY-2934

https://github.com/jenkinsci/email-ext-pluginJulie HeardFeb 8, 2023via ghsa

commit

2 files changed · +4 −4

src/main/java/hudson/plugins/emailext/EmailExtTemplateAction.java+1 −1 modified

@@ -134,7 +134,7 @@ public String[] renderTemplate(String templateFile, String buildId) {
                 scriptContent.template = templateFile;                
                 result[0] = scriptContent.evaluate(build, listener, "SCRIPT");                
             }
-            result[1] = stream.toString(ExtendedEmailPublisher.descriptor().getCharset());
+            result[1] = hudson.Util.xmlEscape(stream.toString(ExtendedEmailPublisher.descriptor().getCharset()));
         } catch (Exception ex) {
             result[0] = renderError(ex);
         }

src/main/resources/hudson/plugins/emailext/EmailExtTemplateAction/index.groovy+3 −3 modified

@@ -18,7 +18,7 @@ l.layout {
                 var templateFile = document.getElementById('template_file_name').value;
                 var buildId = document.getElementById('template_build').value;
                 templateTester.renderTemplate(templateFile,buildId, function(t) {
-                    document.getElementById('rendered_template').innerHTML = t.responseObject()[0];
+                    document.getElementById('rendered_template').src = "data:text/html;charset=utf-8," + escape(t.responseObject()[0]);
                     var consoleOutput = t.responseObject()[1];
                     if(consoleOutput.length == 0) {
                         document.getElementById('output').style.display = 'none';                        
@@ -49,7 +49,7 @@ l.layout {
                     }
                 }
             }
-            div(id: "rendered_template")
+            iframe(id:"rendered_template", width:"80%", height:"500px", frameBorder:"0", sandbox:"")
             div(id: "output", style: "display:none;") {
                 hr()
                 h3(_("Template Console Output"))
@@ -61,4 +61,4 @@ l.layout {
             st.redirect(url: "${rootURL}")
         }
     }
-}
\ No newline at end of file
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p2fr-mq9m-6w6pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-25764ghsaADVISORY
www.openwall.com/lists/oss-security/2023/02/15/4ghsamailing-listWEB
github.com/jenkinsci/email-ext-plugin/commit/7b2bd251aa0193d009d85b713362d965dab262d0ghsaWEB
www.jenkins.io/security/advisory/2023-02-15/ghsaWEB

News mentions

Jenkins Security Advisory 2023-02-15
Jenkins Security Advisories · Feb 15, 2023

cvss	0.260
epss	0.016
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000