CVE-2016-6319
published 2016-08-19CVE-2016-6319: Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows…
PriorityP426medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.96%
77.8th percentile
Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | <= 1.12.1 | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
foreman: Persistent XSS in Foreman remote execution plugin
vendor_redhat·2016-08-09·CVSS 6.1
CVE-2016-6319 [MEDIUM] CWE-79 foreman: Persistent XSS in Foreman remote execution plugin
foreman: Persistent XSS in Foreman remote execution plugin
Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter.
It was found that foreman is vulnerable to a stored XSS via a job template with a malformed name. This could allow an attacker with privileges to set the name in a template to display arbitrary HTML including scripting code within the web interface.
Package: foreman (Red Hat Ceph Storage 1.3) - Will not fix
GHSA
GHSA-63pc-xj3r-v6f8: Cross-site scripting (XSS) vulnerability in app/helpers/form_helper
ghsa_unreviewed·2022-05-14
CVE-2016-6319 [MEDIUM] CWE-79 GHSA-63pc-xj3r-v6f8: Cross-site scripting (XSS) vulnerability in app/helpers/form_helper
Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter.
No detection rules found.
No public exploits indexed.
http://projects.theforeman.org/issues/16019http://projects.theforeman.org/issues/16024http://www.securityfocus.com/bid/92429https://access.redhat.com/errata/RHSA-2018:0336https://bugzilla.redhat.com/show_bug.cgi?id=1365815https://github.com/theforeman/foreman/commit/0f35fe14acf0d0d3b55e9337bc5e2b9640ff2372https://theforeman.org/security.html#2016-6319http://projects.theforeman.org/issues/16019http://projects.theforeman.org/issues/16024http://www.securityfocus.com/bid/92429https://access.redhat.com/errata/RHSA-2018:0336https://bugzilla.redhat.com/show_bug.cgi?id=1365815https://github.com/theforeman/foreman/commit/0f35fe14acf0d0d3b55e9337bc5e2b9640ff2372https://theforeman.org/security.html#2016-6319
2016-08-19
Published