CVE-2018-16861

A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable.

Published: Dec 7, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-16861
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
theforeman / foreman	-	1.18.3
theforeman / foreman	1.19.0	1.19.1
theforeman / foreman	1.20.0-rc1	1.20.0-rc1.x
theforeman / foreman	1.20.0-rc2	1.20.0-rc2.x

https://access.redhat.com/errata/RHSA-2019:1222
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16861

Vulnerability Database

289,697

CVE-2018-16861