CVE-2016-8613

Published: Jul 31, 2018Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS vulnerability.

Affected (1)

Products: Theforeman: Foreman

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Theforeman Foreman	Version 1.5.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (8)

http://www.securityfocus.com/bid/93859

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8613

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://github.com/theforeman/foreman_remote_execution/pull/208

Source: secalert@redhat.com

Third Party Advisory

https://projects.theforeman.org/issues/17066/

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/93859

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8613

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/theforeman/foreman_remote_execution/pull/208

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://projects.theforeman.org/issues/17066/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.