Vulnerabilities > CVE-2023-6149 - XXE vulnerability in Qualys web Application Screening

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

qualys

CWE-611

NVD

Published: 2024-01-09

Updated: 2024-01-12

Summary

Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

Vulnerable Configurations

Part	Description	Count
Application	Qualys Qualys WEB Application Screening *	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.qualys.com/security-advisories/