CVE-2016-8634

Опубликовано: 03 нояб. 2016

Источник: redhat

CVSS3: 6.1

CVSS2: 4.9

EPSS Низкий

Описание

A vulnerability was found in foreman 1.14.0. When creating an organization or location in Foreman, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML. This occurs in the alertbox on the page. The result is a stored XSS attack if an organization/location with HTML in the name is created, then a user is linked directly to this URL.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Ceph Storage 1.3	foreman	Will not fix
Red Hat Satellite 6.3 for RHEL 7	candlepin	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	foreman	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	foreman-bootloaders-redhat	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	foreman-discovery-image	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	foreman-installer	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	foreman-proxy	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	foreman-selinux	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	hiera	Fixed	RHSA-2018:0336	21.02.2018
Red Hat Satellite 6.3 for RHEL 7	katello	Fixed	RHSA-2018:0336	21.02.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-79

https://bugzilla.redhat.com/show_bug.cgi?id=1391520foreman: Stored XSS in org/loc wizard

EPSS

Процентиль: 55%

0.00328

Низкий

6.1 Medium

CVSS3

4.9 Medium

CVSS2

Связанные уязвимости

CVE-2016-8634

CVSS3: 6.1

nvd

больше 7 лет назад

CVE-2016-8634

CVSS3: 6.1

debian

больше 7 лет назад

A vulnerability was found in foreman 1.14.0. When creating an organiza ...

GHSA-fjj6-r3pr-3rrj

CVSS3: 5.4

github

больше 3 лет назад

EPSS

Процентиль: 55%

0.00328

Низкий

6.1 Medium

CVSS3

4.9 Medium

CVSS2