CVE-2023-6148

EPSS 0.46%
Veröffentlicht 09.01.2024 09:15:42
Zuletzt bearbeitet 13.02.2025 18:16:05
Quelle bugreport@qualys.com
CVE-Watchlists
Login
Unerledigt
Login

Possible XSS vulnerability in Jenkins Plugin for Qualys Policy Compliance

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rouge endpoint via which it was possible to control response for certain request which could be injected with XSS payloads leading to XSS while processing the response data

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qualys ≫ Policy Compliance SwPlatformjenkins Version <= 1.0.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.362

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
bugreport@qualys.com	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.qualys.com/security-advisories/

Vendor Advisory

http://www.openwall.com/lists/oss-security/2024/01/24/6

https://nvd.nist.gov/vuln/detail/CVE-2023-6148

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-6148

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-6148

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-6148