GHSA-rwf9-8fqr-p44m

Suggest an improvement
Source
https://github.com/advisories/GHSA-rwf9-8fqr-p44m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rwf9-8fqr-p44m/GHSA-rwf9-8fqr-p44m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rwf9-8fqr-p44m
Aliases
  • CVE-2023-6148
Published
2024-01-09T09:30:29Z
Modified
2024-02-21T05:20:50.519374Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Qualys Jenkins Plugin for Policy Compliance Cross-site Scripting vulnerability
Details

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rouge endpoint via which it was possible to control response for certain request which could be injected with XSS payloads leading to XSS while processing the response data.

Database specific 
{
    "nvd_published_at": "2024-01-09T09:15:42Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-12T23:22:11Z"
}
References

Affected packages

Maven / com.qualys.plugins:qualys-pc

Package

Name
com.qualys.plugins:qualys-pc
View open source insights on deps.dev
Purl
pkg:maven/com.qualys.plugins/qualys-pc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.6

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5