CVE-2023-30958 — Improper Neutralization of Script in Attributes in a Web Page in Com.palantir.foundry Foundry-frontend

CWE-83 — Improper Neutralization of Script in Attributes in a Web Page CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

CNA4.7

EPSS

0.2%

top 60.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palantir Com.palantir.foundry Foundry-frontend Zabbix Frontend

Timeline

PublishedAug 3

Latest updateAug 4

Description

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5palantir/com.palantir.foundry_foundry-frontend* — 6.225.0

▶NVDzabbix/frontend< 6.225.0

🔴Vulnerability Details

GHSA

GHSA-h7r6-9754-jpv8: A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed↗2023-08-04

▶

CVEList

DOM XSS in Developer mode dashboard via redirect GET parameter↗2023-08-03

▶