38 matches found
Cross-site Scripting (XSS)
Jenkins Applitools Eyes Plugin is vulnerable to Cross-site Scripting XSS. The vulnerability is due to the plugin not escaping the Applitools URL on the build page, where attackers with Item/Configure permission can exploit it to inject malicious scripts...
EUVD-2025-20835
Malicious code in bioql PyPI...
EUVD-2025-20834
Malicious code in bioql PyPI...
EUVD-2025-20856
Malicious code in bioql PyPI...
@andrewzagorski/admin (>=4.25.19-patch.1 <=4.25.19-patch.3), @applitools/core (>=2.3.7 <=4.57.1) +147 more potentially affected by CVE-2025-9960 via is-localhost-ip (>=1.4.0 <=3.0.1)
is-localhost-ip NPM version =1.4.0, =4.25.19-patch.1, =2.3.7, =1.0.0, =1.2.11, =0.5.1, =1.0.6, =1.0.0, =1.13.7, =1.0.0, =3.30.0, =4.22.1, =1.14.0, =1.14.1, =1.14.1, =13.11.30, =13.11.34-legacy.1 and more Source cves: CVE-2025-9960 Source advisory: SNYK:JS-ISLOCALHOSTIP-13004668...
The vulnerability of the Applitools Eyes plugin in Jenkins automation servers, related to the storage of keys in an open manner, allows a malicious actor to gain unauthorized access to protected information.
The vulnerability of the Applitools Eyes plugin in Jenkins automation servers lies in the fact that keys are stored in an open manner within the config.xml configuration file. Exploiting this vulnerability allows a malicious actor, operating remotely, to gain unauthorized access to protected...
The vulnerability of the Applitools Eyes plugin in Jenkins automation servers, related to the lack of security measures for website structure protection, allows attackers to perform cross-site scripting attacks.
The vulnerability of the Applitools Eyes plugin in Jenkins automation servers is related to the lack of security measures for the website structure. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks remotely...
The vulnerability of the Applitools Eyes plugin in Jenkins automation servers, related to the storage of information in an open manner, allows a malicious actor to gain unauthorized access to the protected information.
The vulnerability of the Applitools Eyes plugin in Jenkins automation servers lies in the fact that information is stored in an open manner within the config.xml configuration file. Exploiting this vulnerability allows a malicious actor, operating remotely, to gain unauthorized access to the...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the job configuration form, where API keys are not masked. An attacker can obtain sensitive credentials by viewing the exposed API keys during job configuration. Remediation Upgrade...
Cleartext Storage of Sensitive Information
Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information via the storage of unencrypted API keys in config.xml files. An attacker can access sensitive information by obtaining Item/Extended Read permissions or direct access to the controller file...
GHSA-Q92V-3F4W-5XG8 Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users
Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
GHSA-JMRV-RXGR-PHVR Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...
Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users
Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Applitools URL field on the build page. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious input into this field. This is only exploitable if the...
GHSA-J4WF-9GX8-63F8 Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML...
Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML...
CVE-2025-53742
Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
CVE-2025-53743
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...
CVE-2025-53742
Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
CVE-2025-53658
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...