PT-2018-9392 · Cobbler+2 · Cobbler+2

Michael Overmeyer

Published

2018-08-20

Updated

2024-06-15

CVE-2018-1000225

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Cobbler versions 2.0.0 through 2.6.11+

Description The issue concerns a Cross Site Scripting (XSS) vulnerability in cobbler-web, which can lead to Privilege escalation to admin. This can be exploited via network connectivity by sending an unauthenticated JavaScript payload to the Cobbler XMLRPC API at "/cobbler api".

Recommendations For Cobbler versions 2.0.0 through 2.6.11+, consider disabling the cobbler-web module until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the Cobbler XMLRPC API at "/cobbler api" to minimize the risk of unauthenticated JavaScript payload attacks.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-1000225

GHSA-Q9G5-98PM-W6Q7

OPENSUSE-SU-2018_2590-1

OPENSUSE-SU-2021:0046-1

OPENSUSE-SU-2021:0058-1

OPENSUSE-SU-2021_0046-1

OPENSUSE-SU-2024:10690-1

SUSE-RU-2018:2639-1

SUSE-SU-2018:2551-1

SUSE-SU-2018:2561-1

SUSE-SU-2018:2608-1

USN-6475-1

Affected Products

Cobbler

Suse

Ubuntu

PT-2018-9392 · Cobbler+2 · Cobbler+2

CVE-2018-1000225

Weakness Enumeration

Related Identifiers

Affected Products

References · 108