CVE-2016-8613

EPSS 0.74%
Published 31.07.2018 20:29:00
Last modified 21.11.2024 02:59:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS vulnerability.

Affected products Warnungen 0 Metrics 4 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Theforeman ≫ Foreman Version1.5.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.74%	0.719

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
secalert@redhat.com	6.4	3.1	2.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://www.securityfocus.com/bid/93859

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8613

Patch

Third Party Advisory

Issue Tracking

https://github.com/theforeman/foreman_remote_execution/pull/208

Third Party Advisory

https://projects.theforeman.org/issues/17066/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2016-8613

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-8613

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-8613

EUVD