-
Bug
-
Resolution: Unresolved
-
Minor
-
None
Description
Email Extension Template does not escape the name of the Email template Management in the onclick attribute.
This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.
We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.
Recommendation
- (minimum) escape the variable, with Util.escape (from Jenkins Core),
- (better) or inject the Java variable value following best practice from https://www.jenkins.io/doc/developer/security/xss-prevention/#passing-values-to-javascript.
[JENKINS-68868] [emailext-template] Admin only XSS
| Description |
Original:
*Description*
[Email Extension Template|https://plugins.jenkins.io/emailext-template/] does not escape the [name of the Email template Management|https://github.com/jenkinsci/emailext-template-plugin/blob/af337e0d65b0bb510b4bf435be8f68e82010135c/src/main/resources/org/jenkinsci/plugins/emailext_template/ExtEmailTemplateManagement/index.groovy#L47] in the {{onclick}} attribute. This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission. We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS. *Recommendation* * (minimum) escape the variable, with Util.escape (from Jenkins Core), * (better) or inject the Java variable value following best practice from [https://www.jenkins.io/doc/developer/security/xss-prevention/#passing-values-to-javascript]. |
New:
*Description*
[Email Extension Template|https://plugins.jenkins.io/emailext-template/] does not escape the [name of the Email template Management|https://github.com/jenkinsci/emailext-template-plugin/blob/af337e0d65b0bb510b4bf435be8f68e82010135c/src/main/resources/org/jenkinsci/plugins/emailext_template/ExtEmailTemplateManagement/index.groovy#L47] in the {{onclick}} attribute. This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission. {+}_We don't consider it a security vulnerability_{+}, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS. *Recommendation* * (minimum) escape the variable, with Util.escape (from Jenkins Core), * (better) or inject the Java variable value following best practice from [https://www.jenkins.io/doc/developer/security/xss-prevention/#passing-values-to-javascript]. |
| Link | New: This issue is related to SECURITY-2644 [ SECURITY-2644 ] |