Vulnerability Database

319,703

Total vulnerabilities in the database

CVE-2023-22843

An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Via stored Cross-Site Scripting (XSS), an attacker may be able to perform unauthorized actions on behalf of legitimate users and/or gather sensitive information. JavaScript injection was possible in the contents for Yara rules, while limited HTML injection has been proven for packet and STYX rules.

Published: Aug 9, 2023
Updated: Nov 16, 2025
CVE: CVE-2023-22843
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.4
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
nozominetworks / cmc	-	22.6.2
nozominetworks / guardian	-	22.6.2

https://security.nozominetworks.com/NN-2023:4-01

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo