CVE-2016-8639

It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.

Published: Aug 1, 2018
Updated: Apr 13, 2023
CVE: CVE-2016-8639
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
theforeman / foreman	-	1.13.0
redhat / satellite	6.3	6.3.x
redhat / satellite_capsule	6.3	6.3.x

http://www.securityfocus.com/bid/94263
https://access.redhat.com/errata/RHSA-2018:0336
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639
https://github.com/theforeman/foreman/pull/3523
https://projects.theforeman.org/issues/15037

Vulnerability Database

289,599

CVE-2016-8639