It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/94263 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHSA-2018:0336 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639 | Issue Tracking Third Party Advisory |
https://github.com/theforeman/foreman/pull/3523 | Third Party Advisory |
https://projects.theforeman.org/issues/15037 | Vendor Advisory |
Configurations
History
No history.
Information
Published : 2018-08-01 13:29
Updated : 2024-02-04 20:03
NVD link : CVE-2016-8639
Mitre link : CVE-2016-8639
CVE.ORG link : CVE-2016-8639
JSON object : View
Products Affected
redhat
- satellite
- satellite_capsule
theforeman
- foreman
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')