CVE-2016-8613

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

6.1MEDIUM

EPSS

0.7%

top 27.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Foreman Project Foreman Theforeman Foreman

Timeline

PublishedJul 31

Latest updateMay 13

Description

A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages2 packages

▶NVDtheforeman/foreman1.5.1

▶CVEListV5the_foreman_project/foreman1.5.1

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-hh7m-gjfx-m9cw: A flaw was found in foreman 1↗2022-05-13

▶

CVEList

CVE-2016-8613: A flaw was found in foreman 1↗2018-07-31

▶

📋Vendor Advisories

Red Hat

foreman: Stored XSS vulnerability in remote execution plugin↗2016-10-24

▶

💬Community

Bugzilla

CVE-2016-8613 foreman: Stored XSS vulnerability in remote execution plugin↗2016-10-20

▶