CVE-2023-30963 — Improper Neutralization of Script in Attributes of IMG Tags in a Web Page in Com.palantir.foundry Foundry-frontend

CWE-82 — Improper Neutralization of Script in Attributes of IMG Tags in a Web Page CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 44.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palantir Com.palantir.foundry Foundry-frontend Palantir Foundry Frontend

Timeline

PublishedJul 10

Latest updateJul 11

Description

A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.229.0. The service was rolled out to all affected Foundry instances. No further intervention is required.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDpalantir/foundry_frontend< 6.229.0

▶CVEListV5palantir/com.palantir.foundry_foundry-frontend* — 6.229.0

🔴Vulnerability Details

GHSA

GHSA-46hm-73m4-wgrq: A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed↗2023-07-11

▶

CVEList

Stored XSS in Foundry Slate Query Dropdown menu↗2023-07-10

▶