Описание
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
Отчет
Red Hat Subscription Asset Manager does not support the Organization Change, and therefore is not affected by this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Subscription Asset Manager | katello | Not affected | ||
| Red Hat Satellite 6.5 for RHEL 7 | ansiblerole-insights-client | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | candlepin | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | createrepo_c | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-bootloaders-redhat | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-discovery-image | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-installer | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-proxy | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-selinux | Fixed | RHSA-2019:1222 | 14.05.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
Уязвимость системы управления пакетами Katello, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю осуществить межсайтовую сценарную атаку или межсайтовую подделку запроса
EPSS
5.4 Medium
CVSS3