CVE-2018-16887

Name of the Vulnerable Software and Affected Versions Satellite katello versions prior to 3.9.0

Description A cross-site scripting (XSS) flaw was found in the katello component of Satellite, allowing an attacker with privileges to create or edit organizations and locations to execute XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. The vulnerability is related to insufficient protection of the web page structure.

Recommendations For versions prior to 3.9.0, update to version 3.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Subscriptions and Red Hat Repositories wizards to minimize the risk of exploitation. Avoid using the wizards until the issue is resolved.