CVE-2017-2661
published 2018-03-12CVE-2017-2661: ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new…
PriorityP423medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.22%
64.8th percentile
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clusterlabs | pcs | < 0.9.157 | 0.9.157 |
| clusterlabs | pcs | — | — |
| clusterlabs | pcs | >= 0 < 0.9.155+dfsg-2 | 0.9.155+dfsg-2 |
| clusterlabs | pcs | >= 0 < 0.9.155+dfsg-2 | 0.9.155+dfsg-2 |
| clusterlabs | pcs | >= 0 < 0.9.155+dfsg-2 | 0.9.155+dfsg-2 |
| clusterlabs | pcs | >= 0 < 0.9.155+dfsg-2 | 0.9.155+dfsg-2 |
| clusterlabs | pcs | >= 0 < 0.9.149-1ubuntu1.1+esm1 | 0.9.149-1ubuntu1.1+esm1 |
| clusterlabs | pcs | >= 0 < 0.10.4-3ubuntu0.1~esm1 | 0.10.4-3ubuntu0.1~esm1 |
| clusterlabs | pcs | >= 0 < 0.10.11-2ubuntu3+esm1 | 0.10.11-2ubuntu3+esm1 |
| debian | pcs | < pcs 0.9.155+dfsg-2 (bookworm) | pcs 0.9.155+dfsg-2 (bookworm) |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
pcs vulnerabilities
vendor_ubuntu·2025-07-02·CVSS 6.1
CVE-2022-2735 [MEDIUM] pcs vulnerabilities
Title: pcs vulnerabilities
Summary: Several security issues were fixed in pcs.
Cedric Buissart discovered that pcs did not correctly handle certain
parameters. An attacker could possibly use this issue to leak sensitive
information or elevate their privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2018-1086)
Ondrej Mular discovered that pcs did not correctly handle Unix socket
permissions. An attacker could possibly use this issue to elevate their
privileges. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2735)
It was discovered that pcs did not correctly handle PAM authentication.
An attacker could possibly use this issue to bypass authentication
mechanisms. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-1049)
It was discovered that pcs did
Red Hat
pcs: Improper node name field validation when creating clusters leads to XSS
vendor_redhat·2017-03-21·CVSS 6.1
CVE-2017-2661 [MEDIUM] CWE-79 pcs: Improper node name field validation when creating clusters leads to XSS
pcs: Improper node name field validation when creating clusters leads to XSS
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster.
It was found that pcsd was vulnerable to reflected cross-site scripting (XSS) attacks while handling node names during creation or import of a cluster. An attacker could use this flaw to run javascript code in an authenticated session.
Package: pcs (Red Hat Enterprise Linux 6) - Will not fix
Package: pcs (Red Hat Enterprise Linux 7) - Will not fix
Package: pcs (Red Hat Storage 3) - Will not fix
Debian
CVE-2017-2661: pcs - ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting v...
vendor_debian·2017·CVSS 6.1
CVE-2017-2661 [MEDIUM] CVE-2017-2661: pcs - ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting v...
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster.
Scope: local
bookworm: resolved (fixed in 0.9.155+dfsg-2)
bullseye: resolved (fixed in 0.9.155+dfsg-2)
forky: resolved (fixed in 0.9.155+dfsg-2)
sid: resolved (fixed in 0.9.155+dfsg-2)
trixie: resolved (fixed in 0.9.155+dfsg-2)
OSV
pcs vulnerabilities
osv·2025-07-02·CVSS 6.1
CVE-2018-1086 [MEDIUM] pcs vulnerabilities
pcs vulnerabilities
Cedric Buissart discovered that pcs did not correctly handle certain
parameters. An attacker could possibly use this issue to leak sensitive
information or elevate their privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2018-1086)
Ondrej Mular discovered that pcs did not correctly handle Unix socket
permissions. An attacker could possibly use this issue to elevate their
privileges. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2735)
It was discovered that pcs did not correctly handle PAM authentication.
An attacker could possibly use this issue to bypass authentication
mechanisms. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-1049)
It was discovered that pcs did not correctly handle the validation of
Node names. An attack
GHSA
GHSA-qc8r-mjjf-5j6v: ClusterLabs pcs before version 0
ghsa_unreviewed·2022-05-13
CVE-2017-2661 [MEDIUM] CWE-79 GHSA-qc8r-mjjf-5j6v: ClusterLabs pcs before version 0
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster.
OSV
CVE-2017-2661: ClusterLabs pcs before version 0
osv·2018-03-12·CVSS 6.1
CVE-2017-2661 [MEDIUM] CVE-2017-2661: ClusterLabs pcs before version 0
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-2661 pcs: Improper node name field validation when creating clusters leads to XSS [fedora-all]
bugzilla·2017-03-20·CVSS 6.1
CVE-2017-2661 [MEDIUM] CVE-2017-2661 pcs: Improper node name field validation when creating clusters leads to XSS [fedora-all]
CVE-2017-2661 pcs: Improper node name field validation when creating clusters leads to XSS [fedora-all]
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
# bugfix, security, enhancement, newpackage (required)
type=security
# testing, stable
request=testing
# Bug numbers: 1234,9876
bugs=1428948
# Description of your update
notes=Security fix for [PUT CVEs HERE]
# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3
# Automatically close bugs when this marked as stable
close_bugs=True
# Suggest that users r
Bugzilla
CVE-2017-2661 pcs: Improper node name field validation when creating clusters leads to XSS
bugzilla·2017-03-03·CVSS 6.1
CVE-2017-2661 [MEDIUM] CVE-2017-2661 pcs: Improper node name field validation when creating clusters leads to XSS
CVE-2017-2661 pcs: Improper node name field validation when creating clusters leads to XSS
Cross-site scripting vulnerability was found in pcs due to improper validation of Node name field when creating new cluster or adding existing cluster.
Upstream fix :
* web UI: fixed XSS vulnerability
https://github.com/ClusterLabs/pcs/commit/1874a769b5720ae5430f10c6cedd234430bc703f
Discussion:
Acknowledgments:
Name: Microsoft
---
Created pcs tracking bugs for this issue:
Affects: fedora-all [bug 1434111]
---
Created attachment 1265070
proposed fix
2018-03-12
Published