Moderate severityNVD Advisory· Published Jan 9, 2024· Updated Apr 17, 2025

Possible XSS vulnerability in Jenkins Plugin for Qualys Policy Compliance

CVE-2023-6148

Description

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rouge endpoint via which it was possible to control response for certain request which could be injected with XSS payloads leading to XSS while processing the response data

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.qualys.plugins:qualys-pcMaven	< 1.0.6	1.0.6

Affected products

ghsa-coords
pkg:maven/com.qualys.plugins/qualys-pc
Range: < 1.0.6
Qualys,Inc./Policy Compliance Connector Jenkins Pluginv5
Range: 1.0.5

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-rwf9-8fqr-p44mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-6148ghsaADVISORY
www.openwall.com/lists/oss-security/2024/01/24/6ghsaWEB
www.qualys.com/security-advisoriesghsaWEB
www.qualys.com/security-advisories/cve-2023-6148ghsaWEB
www.qualys.com/security-advisories/mitre

News mentions

Jenkins Security Advisory 2024-01-24
Jenkins Security Advisories · Jan 24, 2024

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000