ByteOS Network

CVE Vulnerability Details :

CVE-2023-30959

PUBLISHED

More Info Official Page

Assigner-Palantir

Assigner Org ID-bbcbe11d-db20-4bc2-8a6e-c79f87041fd4

Published At-26 Sep, 2023 | 17:56

Updated At-24 Sep, 2024 | 13:47

▼CVE Numbering Authority (CNA)

Stored XSS via javascript URI in Apollo Change Requests comment

In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

Affected Products

Vendor

Palantir

Product

com.palantir.apollo:autopilot

Versions

Affected

From * before 3.308.0 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-84	The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.

Metrics

Version	Base score	Base severity	Vector
3.1	4.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Impacts

CAPEC ID	Description
CAPEC-63	An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.

CAPEC ID

Description

CAPEC-63

An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.

References

Hyperlink	Resource
https://palantir.safebase.us/?tcuUid=4c257f07-58af-4532-892a-bdbe8ab3ec63	N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://palantir.safebase.us/?tcuUid=4c257f07-58af-4532-892a-bdbe8ab3ec63	x_transferred

2. CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References