Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security

Security advisory.

Stored XSS Vulnerability in QualysGuard VM/PC [CVE-2023-6146]

Affected Product: Qualys Private Cloud Platform (PCP)
Advisory ID: Q-PVD-2023-08
CVE ID:  CVE-2023-6146
Published: 2023-11-16

Risk Factor

NVD Risk Rating Qualys Risk Rating
CVSSv3.1 Score TBD 5.7
CVSSv3.1 Vector (Base) TBD AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N


A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details.


Customers should upgrade Qualys Private Cloud Platform to a minimum version of

Risk Management Considerations

Qualys has assessed the exploit and believes the risk to be (Moderate) for the following reasons:

  • A valid user account is necessary to exploit the vulnerability, and the user needs to login to insert the payload
  • The payload will only execute on visiting a specific page in the application and doesn’t affect any other applications/ modules
  • Cookie / Session has been set with HTTPOnly flag which prevent session compromise


Frank Cozijnsen of the KPN REDteam

View more security advisories