-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Minor
-
Component/s: emailext-template-plugin
Description
Email Extension Template does not escape the name of the Email template Management in the onclick attribute.
This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.
We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.
Recommendation
- (minimum) escape the variable, with Util.escape (from Jenkins Core),
- (better) or inject the Java variable value following best practice from https://www.jenkins.io/doc/developer/security/xss-prevention/#passing-values-to-javascript.
