CVE-2018-16861

Published: Dec 7, 2018Modified: Nov 21, 2024

4.8

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable.

Affected (4)

Products: Theforeman: Foreman

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Theforeman Foreman	Before 1.18.3
Theforeman Foreman	From 1.19.0 to 1.19.1
Theforeman Foreman	Version 1.20.0 rc1
Theforeman Foreman	Version 1.20.0 rc2

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://access.redhat.com/errata/RHSA-2019:1222

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16861

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:1222

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16861

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

Timeline

No history available yet.