CVE-2023-23849: XSS
First published: Mon Feb 06 2023(Updated: )
Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Any web service hosted on the same sub domain can set a cookie for the whole subdomain which can be used to bypass other mitigations in place for malicious purposes. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C
Credit: disclosure@synopsys.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Coverity | <2022.12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-23849?
CVE-2023-23849 is a vulnerability in versions of Coverity Connect prior to 2022.12.0 that allows for unauthenticated Cross-Site Scripting.
How can an attacker exploit CVE-2023-23849?
An attacker can exploit CVE-2023-23849 by hosting a malicious web service on the same subdomain and setting a cookie to bypass other mitigations for malicious purposes.
What is the severity of CVE-2023-23849?
CVE-2023-23849 has a severity value of 6.1, which is considered medium.
How do I fix CVE-2023-23849?
To fix CVE-2023-23849, update Coverity Connect to version 2022.12.0 or later.
What is the Common Weakness Enumeration (CWE) for CVE-2023-23849?
CVE-2023-23849 is associated with CWE-79, which is a weakness category for Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
- agent/type
- agent/references
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/source
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/synopsys
- canonical/coverity