{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-23849", "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b", "assignerShortName": "SNPS", "dateUpdated": "2024-08-02T10:42:27.010Z", "dateReserved": "2023-01-18T00:00:00", "datePublished": "2023-02-06T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b", "shortName": "SNPS", "dateUpdated": "2023-02-06T00:00:00"}, "descriptions": [{"lang": "en", "value": "Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Any web service hosted on the same sub domain can set a cookie for the whole subdomain which can be used to bypass other mitigations in place for malicious purposes. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C"}], "affected": [{"vendor": "Synopsys", "product": "Coverity", "versions": [{"version": "< 2022.12.0", "status": "affected"}]}], "references": [{"url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-CVE-2023-23849-affecting-Coverity"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:42:27.010Z"}, "title": "CVE Program Container", "references": [{"url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-CVE-2023-23849-affecting-Coverity", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synopsys:coverity:*:*:*:*:*:*:*:*", "matchCriteriaId": "332F5E1D-49AD-4A7E-B5E5-F91E17E690D5", "versionEndExcluding": "2022.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Any web service hosted on the same sub domain can set a cookie for the whole subdomain which can be used to bypass other mitigations in place for malicious purposes. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C"}, {"lang": "es", "value": "Las versiones de Coverity Connect anteriores a 2022.12.0 se ven afectadas por una vulnerabilidad de cross-site scripting no autenticadas. Cualquier servicio web alojado en el mismo subdominio puede configurar una cookie para todo el subdominio que puede usarse para evitar otras mitigaciones implementadas con fines maliciosos. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C"}], "id": "CVE-2023-23849", "lastModified": "2024-11-21T07:46:57.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-06T23:15:10.067", "references": [{"source": "disclosure@synopsys.com", "tags": ["Vendor Advisory"], "url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-CVE-2023-23849-affecting-Coverity"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-CVE-2023-23849-affecting-Coverity"}], "sourceIdentifier": "disclosure@synopsys.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@synopsys.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}