CVE-2025-53658 is a stored cross-site scripting (XSS) vulnerability identified in the Jenkins Applitools Eyes Plugin, specifically affecting versions 1.16.5 and earlier. The vulnerability occurs because the plugin does not properly escape the Applitools URL displayed on the Jenkins build page. This improper sanitization allows an attacker who has Item/Configure permissions within Jenkins to inject malicious JavaScript code that is stored and subsequently executed in the context of users viewing the affected build page. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 5.4, indicating a medium severity level, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This means the attack can be executed remotely over the network with low attack complexity, requires privileges (Item/Configure permission) and user interaction to trigger the payload. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting other users' sessions or data. The confidentiality and integrity of data can be partially compromised, but availability remains unaffected. No patches or public exploits are currently available, but the vulnerability is published and should be addressed promptly. Since Jenkins is widely used for continuous integration and deployment, exploitation could lead to unauthorized actions or information disclosure within development pipelines.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of their Jenkins environments. Attackers with Item/Configure permissions could inject malicious scripts that execute in the browsers of users viewing the build pages, potentially leading to session hijacking, credential theft, or unauthorized actions within Jenkins. This could compromise the integrity of the software development lifecycle, leading to the insertion of malicious code or disruption of automated build and deployment processes. Organizations relying heavily on Jenkins for critical infrastructure or software delivery pipelines could face increased risk of supply chain attacks or insider threats. The medium severity score reflects that while exploitation requires some privileges and user interaction, the potential impact on sensitive development environments is significant. European companies in sectors such as finance, manufacturing, and technology, which commonly use Jenkins, may be particularly affected if they have not updated the plugin or implemented compensating controls.

1. Upgrade the Jenkins Applitools Eyes Plugin to a version later than 1.16.5 once a patch is released by the vendor. 2. Until a patch is available, restrict Item/Configure permissions to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 3. Implement Content Security Policy (CSP) headers on Jenkins web interfaces to limit the execution of unauthorized scripts. 4. Monitor Jenkins logs for unusual configuration changes or suspicious activity related to build pages. 5. Educate Jenkins users to be cautious when interacting with build pages and report any unexpected behavior. 6. Consider isolating Jenkins instances or using network segmentation to limit exposure. 7. Regularly audit plugin versions and configurations to ensure compliance with security best practices. 8. Employ web application firewalls (WAFs) that can detect and block XSS payloads targeting Jenkins interfaces.