CVE-2018-15913

Name of the Vulnerable Software and Affected Versions Cloudera Manager versions 5.x through 5.15.0

Description An issue in Cloudera Manager allows for potential cross-site scripting (XSS) due to the lack of validation of the returnUrl parameter. This parameter is used to redirect the user to another page in Cloudera Manager after completing a wizard. As a result, an attacker could redirect the user to an external site or execute malicious JavaScript functions. The fix involves restricting the returnUrl parameter to prevent external redirects, with exceptions for explicitly configured SAML Login/Logout URLs.

Recommendations For Cloudera Manager versions 5.x through 5.15.0, update the software to a version that includes the fix, which restricts the returnUrl parameter to prevent external redirects, allowing only explicitly configured SAML Login/Logout URLs as exceptions.