Описание
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
Отчет
In OpenShift Service Mesh (OSSM) the openshift-service-mesh/kiali-rhel7 container (which installs the kiali rpm) is behind OpenShift OAuth authentication restricting access to the vulnerable bootstrap-select library to authenticated users only, therefore the impact is low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | kiali | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-console | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console | Not affected | ||
| Red Hat Single Sign-On 7 | keycloak-theme | Will not fix | ||
| Red Hat Virtualization 4 | ovirt-engine | Will not fix | ||
| Red Hat Virtualization Engine 4.4 | ovirt-web-ui | Fixed | RHSA-2021:1169 | 14.04.2021 |
| Red Hat Virtualization Engine 4.4 | ovirt-engine-ui-extensions | Fixed | RHSA-2021:1186 | 14.04.2021 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1882273nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS
EPSS
Процентиль: 67%
0.00545
Низкий
6.1 Medium
CVSS3
Связанные уязвимости
CVSS3: 6.1
nvd
больше 5 лет назад
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
EPSS
Процентиль: 67%
0.00545
Низкий
6.1 Medium
CVSS3