CVE-2023-6148Cross-site Scripting in INC Policy Compliance Connector Jenkins Plugin

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.5%
top 35.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Qualys INC Policy Compliance Connector Jenkins PluginQualys Policy ComplianceJenkins GIT Server Plugin+9 more
Timeline
PublishedJan 9
Latest updateJan 24

Description

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rouge endpoint via which it was possible to control response for certain request which could be injected with XSS payloads leading to XSS while

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages12 packages

🔴Vulnerability Details

2
OSV
Qualys Jenkins Plugin for Policy Compliance Cross-site Scripting vulnerability2024-01-09
GHSA
Qualys Jenkins Plugin for Policy Compliance Cross-site Scripting vulnerability2024-01-09

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2024-01-242024-01-24