Lucene search

[email protected]CVE-2023-28025

HistoryDec 21, 2023 - 1:15 a.m.

CVE-2023-28025

2023-12-2101:15:32

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-28025

vulnerability

xss

html injection

svg tag

alert pop-up

sanitization

validation

server storage

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

4.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. To mitigate stored XSS vulnerabilities, a preventive measure involves thoroughly sanitizing and validating all user inputs before they are processed and stored in the server storage.

Affected configurations

NVD

Node

hcltechbigfix_modern_client_managementRange<3.2

CPENameOperatorVersion
hcltech:bigfix_modern_client_managementhcltech bigfix modern client managementlt3.2

CPE	Name	Operator	Version
hcltech:bigfix_modern_client_management	hcltech bigfix modern client management	lt	3.2

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "HCL BigFix Mobile / Modern Client Management",
    "vendor": "HCL Software",
    "versions": [
      {
        "status": "affected",
        "version": "<= 3.1"
      }
    ]
  }
]

References

support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109318