PT-2018-13777 · Red Hat+1 · Foreman+1

Published

2018-12-07

Updated

2019-05-14

CVE-2018-16861

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Foreman versions prior to 1.18.3 Foreman versions prior to 1.19.1 Foreman versions prior to 1.20.0

Description A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users.

Recommendations For Foreman versions prior to 1.18.3, update to version 1.18.3 or later. For Foreman versions prior to 1.19.1, update to version 1.19.1 or later. For Foreman versions prior to 1.20.0, update to version 1.20.0 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2019-1386

CVE-2018-16861

RHSA-2019:1222

Affected Products

Alt Linux

Foreman

PT-2018-13777 · Red Hat+1 · Foreman+1

CVE-2018-16861

Weakness Enumeration

Related Identifiers

Affected Products

References · 7