Vulnerability CVE-2016-8639
Published: 2018-08-01

Description:
It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Theforeman -> Foreman 
Redhat -> Satellite 
Redhat -> Satellite capsule 

 References:
http://www.securityfocus.com/bid/94263
https://access.redhat.com/errata/RHSA-2018:0336
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639
https://github.com/theforeman/foreman/pull/3523
https://projects.theforeman.org/issues/15037
Copyright 2024, cxsecurity.com

 

Back to Top