CVE-2016-3079

Name of the Vulnerable Software and Affected Versions Red Hat Satellite versions 5.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via several vectors, including the PATH INFO to "systems/SystemEntitlements.do" API endpoint, the label parameter to "admin/multiorg/EntitlementDetails.do" API endpoint, the name of a snapshot tag, or the name of a system group in System Set Manager (SSM).

Recommendations For Red Hat Satellite version 5.7, consider disabling access to the vulnerable API endpoints "systems/SystemEntitlements.do" and "admin/multiorg/EntitlementDetails.do" until a patch is available. Restrict the ability to create or modify snapshot tags and system groups in SSM to minimize the risk of exploitation. Avoid using the label parameter in the affected API endpoint until the issue is resolved.