Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-20677

Опубликовано: 10 авг. 2018
Источник: redhat
CVSS3: 6.1

Описание

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials.

Отчет

Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all. Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5cfme-gemsetNot affected
OpenShift Service Mesh 2.1servicemesh-prometheusNot affected
Red Hat Ceph Storage 4cephAffected
Red Hat Ceph Storage 5cephAffected
Red Hat Discovery 1discovery-server-containerNot affected
Red Hat Enterprise Linux 7pki-coreNot affected
Red Hat Enterprise Linux 8pki-core:10.6/pki-coreNot affected
Red Hat Fuse 7bootstrapOut of support scope
Red Hat JBoss Data Grid 7bootstrapOut of support scope
Red Hat JBoss Enterprise Web Server 2bootstrapOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1668089bootstrap: XSS in the affix configuration target property

6.1 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-20677

CVSS3: 6.1
ubuntu
около 7 лет назад

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

nvd логотип

CVE-2018-20677

CVSS3: 6.1
nvd
около 7 лет назад

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

debian логотип

CVE-2018-20677

CVSS3: 6.1
debian
около 7 лет назад

In Bootstrap before 3.4.0, XSS is possible in the affix configuration ...

github логотип

GHSA-ph58-4vrj-w6hr

CVSS3: 6.1
github
около 7 лет назад

bootstrap Cross-site Scripting vulnerability

fstec логотип

BDU:2020-02566

CVSS3: 6.1
fstec
около 7 лет назад

Уязвимость плагина affix набора инструментов для создания сайтов и веб-приложений Bootstrap, позволяющая нарушителю осуществлять межсайтовые сценарные атаки

6.1 Medium

CVSS3