CVE-2023-6146 - OpenCVE

A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qualys	Private Cloud Platform

Configuration 1 [-]

cpe:2.3:a:qualys:private_cloud_platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.qualys.com/security-advisories/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Qualys

Published: 2023-12-08T14:21:56.577Z

Updated: 2024-08-02T08:21:17.584Z

Reserved: 2023-11-15T10:10:22.335Z

Link: CVE-2023-6146

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-08T15:15:08.037

Modified: 2023-12-12T17:20:59.940

Link: CVE-2023-6146

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6146", "assignerOrgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda", "state": "PUBLISHED", "assignerShortName": "Qualys", "dateReserved": "2023-11-15T10:10:22.335Z", "datePublished": "2023-12-08T14:21:56.577Z", "dateUpdated": "2024-08-02T08:21:17.584Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["PCP"], "product": "Qualysguard", "vendor": "Qualys", "versions": [{"lessThan": " 10.24.0.0", "status": "affected", "version": " ", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Frank Cozijnsen of the KPN REDteam "}], "datePublic": "2023-12-08T14:02:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. T</span><span style=\"background-color: rgb(255, 255, 255);\">his vulnerability allowed a user with login access to the application to introduce XSS payload via browser details.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n"}], "value": "\nA Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details.\u00a0\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda", "shortName": "Qualys", "dateUpdated": "2023-12-08T14:21:56.577Z"}, "references": [{"url": "https://www.qualys.com/security-advisories/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Customers should upgrade Qualys Private Cloud Platform to a minimum version of 10.24.0.0.</span><span style=\"background-color: rgb(255, 255, 255);\"> For customer on Qualys Shared Cloud no actions are necessary.</span><br>"}], "value": "\nCustomers should upgrade Qualys Private Cloud Platform to a minimum version of 10.24.0.0.\u00a0For customer on Qualys Shared Cloud no actions are necessary.\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS Vulnerability in QualysGuard VM/PC ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.584Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qualys.com/security-advisories/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qualys:private_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "8592CBEB-FE44-4413-BC06-182BC622C87C", "versionEndExcluding": "10.24.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nA Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details.\u00a0\n\n"}, {"lang": "es", "value": "Se descubri\u00f3 que una aplicaci\u00f3n web Qualys ten\u00eda una vulnerabilidad XSS almacenada resultante de la ausencia de codificaci\u00f3n HTML en la presentaci\u00f3n de la informaci\u00f3n de registro a los usuarios. Esta vulnerabilidad permiti\u00f3 a un usuario con acceso a la aplicaci\u00f3n introducir el payload XSS a trav\u00e9s de los detalles del navegador."}], "id": "CVE-2023-6146", "lastModified": "2023-12-12T17:20:59.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "bugreport@qualys.com", "type": "Secondary"}]}, "published": "2023-12-08T15:15:08.037", "references": [{"source": "bugreport@qualys.com", "tags": ["Vendor Advisory"], "url": "https://www.qualys.com/security-advisories/"}], "sourceIdentifier": "bugreport@qualys.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "bugreport@qualys.com", "type": "Secondary"}]}