Stored XSS via javascript URI in Apollo Change Requests comment
CVE-2023-30959

4.1MEDIUM

Key Information:

Vendor: Palantir
Status: Com.palantir.apollo:autopilot
Vendor: CVE Published:; 27 September 2023

What is CVE-2023-30959?

In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

Affected Version(s)

com.palantir.apollo:autopilot * < 3.308.0

References

https://palantir.safebase.us/?tcuUid=4c257f07-58af-4532-8...

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 27, 2023
Vulnerability Reserved
Apr 21, 2023

Palantir

What is CVE-2023-30959?

Affected Version(s)

References

CVSS V3.1

Timeline