Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-20677

Опубликовано: 10 авг. 2018
Источник: redhat
CVSS3: 6.1

Описание

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials.

Отчет

Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all. Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5bootstrap-sassNot affected
OpenShift Service Mesh 2.1servicemesh-prometheusNot affected
Red Hat Ceph Storage 4cephAffected
Red Hat Ceph Storage 5cephAffected
Red Hat Discoverydiscovery-server-containerNot affected
Red Hat Enterprise Linux 7pki-coreNot affected
Red Hat Enterprise Linux 8pki-core:10.6/pki-coreNot affected
Red Hat Fuse 7bootstrapOut of support scope
Red Hat JBoss Data Grid 7bootstrapOut of support scope
Red Hat JBoss Enterprise Web Server 2bootstrapOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1668089bootstrap: XSS in the affix configuration target property

6.1 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-20677

CVSS3: 6.1
ubuntu
больше 6 лет назад

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

nvd логотип

CVE-2018-20677

CVSS3: 6.1
nvd
больше 6 лет назад

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

debian логотип

CVE-2018-20677

CVSS3: 6.1
debian
больше 6 лет назад

In Bootstrap before 3.4.0, XSS is possible in the affix configuration ...

github логотип

GHSA-ph58-4vrj-w6hr

CVSS3: 6.1
github
больше 6 лет назад

bootstrap Cross-site Scripting vulnerability

fstec логотип

BDU:2020-02566

CVSS3: 6.1
fstec
больше 6 лет назад

Уязвимость плагина affix набора инструментов для создания сайтов и веб-приложений Bootstrap, позволяющая нарушителю осуществлять межсайтовые сценарные атаки

6.1 Medium

CVSS3