CVE-2017-15100

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 43.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Foreman Foreman Project Foreman Redhat Satellite +1 more

Timeline

PublishedNov 27

Latest updateMay 14

Description

An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDtheforeman/foreman< 1.16.0

▶CVEListV5foreman_project/foreman1.2 and later, a fix is planned for 1.16.0

▶NVDredhat/satellite6.4

▶NVDredhat/satellite_capsule6.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-7rg9-xhxc-j3pm: An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "char↗2022-05-14

▶

CVEList

CVE-2017-15100: An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "char↗2017-11-27

▶

📋Vendor Advisories

Red Hat

foreman: Stored XSS in fact name or value↗2017-10-31

▶

💬Community

Bugzilla

CVE-2017-15100 foreman: Stored XSS in fact name or value↗2017-11-01

▶