PT-2024-8622 · Hashicorp+4 · Hashicorp Consul+5

Published

2024-10-30

Updated

2025-01-10

CVE-2024-10086

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Consul (affected versions not specified) Consul Enterprise (affected versions not specified)

Description A vulnerability exists in Consul due to the lack of protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. The server response does not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and leading to reflected XSS.

Recommendations Update to the latest version as per guidance. As a temporary workaround, consider restricting user-provided inputs to minimize the risk of exploitation. Restrict access to the vulnerable Consul and Consul Enterprise modules to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2024-15498

BDU:2024-10200

BIT-CONSUL-2024-10086

CVE-2024-10086

GHSA-99WR-C2PX-GRMH

GO-2024-3242

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14458-1

OPENSUSE-SU-2024_3950-1

SUSE-SU-2024:3950-1

Affected Products

Alt Linux

Hashicorp Consul

Hashicorp Consul Enterprise

Debian

Red Os

Suse

PT-2024-8622 · Hashicorp+4 · Hashicorp Consul+5

CVE-2024-10086

Weakness Enumeration

Related Identifiers

Affected Products

References · 90