Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rouge endpoint via which it was possible to control response for certain request which could be injected with XSS payloads leading to XSS while processing the response data
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2024/01/24/6 | |
https://www.qualys.com/security-advisories/ | Vendor Advisory |
Configurations
History
24 Jan 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Jan 2024, 20:12
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
References | () https://www.qualys.com/security-advisories/ - Vendor Advisory | |
CPE | cpe:2.3:a:qualys:policy_compliance:*:*:*:*:*:jenkins:*:* | |
First Time |
Qualys policy Compliance
Qualys |
|
CWE | CWE-79 |
09 Jan 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-09 09:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-6148
Mitre link : CVE-2023-6148
CVE.ORG link : CVE-2023-6148
JSON object : View
Products Affected
qualys
- policy_compliance
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')