CVE-2016-8613

EPSS 0.74%
Veröffentlicht 31.07.2018 20:29:00
Zuletzt bearbeitet 21.11.2024 02:59:40
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS vulnerability.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Theforeman ≫ Foreman Version1.5.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.74%	0.719

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
secalert@redhat.com	6.4	3.1	2.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://www.securityfocus.com/bid/93859

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8613

Patch

Third Party Advisory

Issue Tracking

https://github.com/theforeman/foreman_remote_execution/pull/208

Third Party Advisory

https://projects.theforeman.org/issues/17066/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2016-8613

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-8613

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-8613

EUVD