Lucene search

PalantirCVELIST:CVE-2023-30959

HistorySep 26, 2023 - 5:56 p.m.

CVE-2023-30959 Stored XSS via javascript URI in Apollo Change Requests comment

2023-09-2617:56:20

CWE-84

Palantir

www.cve.org

stored xss

apollo

change requests

javascript uri

user interaction

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

14.0%

JSON

In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

CNA Affected

[
  {
    "vendor": "Palantir",
    "product": "com.palantir.apollo:autopilot",
    "versions": [
      {
        "version": "*",
        "versionType": "semver",
        "lessThan": "3.308.0",
        "status": "affected"
      }
    ]
  }
]

References

palantir.safebase.us/?tcuUid=4c257f07-58af-4532-892a-bdbe8ab3ec63

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

14.0%

JSON

Related for CVELIST:CVE-2023-30959