Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-25363

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-13 Mar, 2025 | 00:00
Updated At-19 Mar, 2025 | 18:42
Rejected At-
Credits

An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH) before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload into the HTML field of a template.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:13 Mar, 2025 | 00:00
Updated At:19 Mar, 2025 | 18:42
Rejected At:
▼CVE Numbering Authority (CNA)

An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH) before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload into the HTML field of a template.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://marketplace.atlassian.com/apps/4832/enterprise-mail-handler-for-jira-jemh/version-history?versionHistoryHosting=dataCenter
N/A
https://github.com/florkie/CVE/blob/main/CVE-2025-25363.md
N/A
Hyperlink: https://marketplace.atlassian.com/apps/4832/enterprise-mail-handler-for-jira-jemh/version-history?versionHistoryHosting=dataCenter
Resource: N/A
Hyperlink: https://github.com/florkie/CVE/blob/main/CVE-2025-25363.md
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-80CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Type: CWE
CWE ID: CWE-80
Description: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:13 Mar, 2025 | 18:15
Updated At:03 Apr, 2025 | 16:43

An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH) before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload into the HTML field of a template.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CPE Matches
thepluginpeople
thepluginpeople
>>enterprise_mail_handler>>Versions from 4.1.53-dc(inclusive) to 4.1.69-dc(exclusive)
cpe:2.3:a:thepluginpeople:enterprise_mail_handler:*:*:*:*:*:jira:*:*
Weaknesses
CWE IDTypeSource
CWE-80Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-80
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/florkie/CVE/blob/main/CVE-2025-25363.mdcve@mitre.org
Third Party Advisory
https://marketplace.atlassian.com/apps/4832/enterprise-mail-handler-for-jira-jemh/version-history?versionHistoryHosting=dataCentercve@mitre.org
Release Notes
Hyperlink: https://github.com/florkie/CVE/blob/main/CVE-2025-25363.md
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://marketplace.atlassian.com/apps/4832/enterprise-mail-handler-for-jira-jemh/version-history?versionHistoryHosting=dataCenter
Source: cve@mitre.org
Resource:
Release Notes

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2025-31075
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 4.91%
||
7 Day CHG-0.04%
Published-28 Mar, 2025 | 09:39
Updated-28 Mar, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MicroPayments plugin <= 2.9.29 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in videowhisper MicroPayments allows Stored XSS. This issue affects MicroPayments: from n/a through 2.9.29.

Action-Not Available
Vendor-videowhisper
Product-MicroPayments
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-39524
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 20.02%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 12:45
Updated-16 Apr, 2025 | 13:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Html5 Audio Player <= 2.2.28 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in bPlugins Html5 Audio Player allows Stored XSS. This issue affects Html5 Audio Player: from n/a through 2.2.28.

Action-Not Available
Vendor-bPlugins
Product-Html5 Audio Player
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-31465
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 4.91%
||
7 Day CHG-0.04%
Published-28 Mar, 2025 | 11:54
Updated-28 Mar, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Better Section Navigation Widget <= 1.6.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in cornershop Better Section Navigation Widget allows Stored XSS. This issue affects Better Section Navigation Widget: from n/a through 1.6.1.

Action-Not Available
Vendor-cornershop
Product-Better Section Navigation Widget
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-31604
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 4.91%
||
7 Day CHG-0.04%
Published-31 Mar, 2025 | 12:55
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cal.com plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com allows Stored XSS. This issue affects Cal.com: from n/a through 1.0.0.

Action-Not Available
Vendor-Cal.com
Product-Cal.com
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-24678
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 10.39%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-24 Jan, 2025 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Listamester Plugin <= 2.3.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.4.

Action-Not Available
Vendor-Listamester
Product-Listamester
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-24673
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 13.80%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-24 Jan, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ketchup Shortcodes Plugin <= 0.1.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AyeCode Ltd Ketchup Shortcodes allows Stored XSS. This issue affects Ketchup Shortcodes: from n/a through 0.1.2.

Action-Not Available
Vendor-AyeCode Ltd
Product-Ketchup Shortcodes
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-6052
Matching Score-4
Assigner-Checkmk GmbH
ShareView Details
Matching Score-4
Assigner-Checkmk GmbH
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.38%
||
7 Day CHG+0.07%
Published-03 Jul, 2024 | 14:30
Updated-16 Sep, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in SQL check parameters

Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements

Action-Not Available
Vendor-Checkmk GmbH
Product-checkmkCheckmk
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5741
Matching Score-4
Assigner-Checkmk GmbH
ShareView Details
Matching Score-4
Assigner-Checkmk GmbH
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 54.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2024 | 11:16
Updated-16 Aug, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in inventory view

Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL)

Action-Not Available
Vendor-Checkmk GmbH
Product-checkmkCheckmk
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details not found