Description

Email Extension Template does not escape the name of the Email template Management in the onclick attribute.

This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.

We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.

Recommendation

• (minimum) escape the variable, with Util.escape (from Jenkins Core),
• (better) or inject the Java variable value following best practice from https://www.jenkins.io/doc/developer/security/xss-prevention/#passing-values-to-javascript.