CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28141 – NTFS Junction
https://notcve.org/view.php?id=CVE-2023-28141
18 Apr 2023 — An NTFS Junction condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.8.0.31. Attackers may write files to arbitrary locations via a local attack vector. This allows attackers to assume the privileges of the process, and they may delete or otherwise on unauthorized files, allowing for the potential modification or deletion of sensitive files limited only to that specific directory/file object. This vulnerability is bounded to the time of installation/uninstallation and can on... • https://www.qualys.com/security-advisories • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29550 – Qualys Cloud Agent Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2022-29550
18 Aug 2022 — An issue was discovered in Qualys Cloud Agent 4.8.0-49. It writes "ps auxwwe" output to the /var/log/qualys/qualys-cloud-agent-scan.log file. This may, for example, unexpectedly write credentials (from environment variables) to disk in cleartext. NOTE: there are no common circumstances in which qualys-cloud-agent-scan.log can be read by a user other than root; however, the file contents could be exposed through site-specific operational practices. The vendor does NOT characterize this as a vulnerability bec... • http://packetstormsecurity.com/files/168367/Qualys-Cloud-Agent-Arbitrary-Code-Execution.html • CWE-532: Insertion of Sensitive Information into Log File •