GHSA-j4wf-9gx8-63f8

Source

https://github.com/advisories/GHSA-j4wf-9gx8-63f8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j4wf-9gx8-63f8/GHSA-j4wf-9gx8-63f8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j4wf-9gx8-63f8

Aliases

CVE-2025-53658

Published

2025-07-09T18:30:46Z

Modified

2025-11-05T20:33:33.262668Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page

Details

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML metacharacters.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2025-07-09T16:15:25Z",
    "github_reviewed_at": "2025-07-09T21:17:35Z",
    "severity": "HIGH"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:applitools-eyes

Package

Name: org.jenkins-ci.plugins:applitools-eyes; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/applitools-eyes

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.6

Affected versions

1.*

1.3

1.4

1.5

1.6

1.7

1.8

1.10

1.12

1.13

1.14

1.14.1

1.15

1.15.1

1.15.2

1.15.3

1.15.4

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

Database specific

last_known_affected_version_range

"<= 1.16.5"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j4wf-9gx8-63f8/GHSA-j4wf-9gx8-63f8.json"