CVE-2023-6148

Name of the Vulnerable Software and Affected Versions Qualys Jenkins Plugin for Policy Compliance versions prior to and including 1.0.5

Description The issue is related to a missing permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rogue endpoint, via which it was possible to control responses for certain requests that could be injected with XSS payloads, leading to XSS while processing the response data.

Recommendations For Qualys Jenkins Plugin for Policy Compliance versions prior to and including 1.0.5, update to a version later than 1.0.5 to resolve the issue. As a temporary workaround, consider restricting access to configure or edit jobs to minimize the risk of exploitation.