CVE-2017-7535
published 2018-07-26CVE-2017-7535: foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign…
PriorityP425medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.49%
70.8th percentile
foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| foreman | foreman | — | — |
| theforeman | foreman | < 1.16.0 | 1.16.0 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4w27-xxvw-958c: foreman before version 1
ghsa_unreviewed·2022-05-13
CVE-2017-7535 [MEDIUM] CWE-79 GHSA-4w27-xxvw-958c: foreman before version 1
foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.
Red Hat
foreman: XSS in the manage organization page
vendor_redhat·2017-07-12·CVSS 6.1
CVE-2017-7535 [MEDIUM] CWE-79 foreman: XSS in the manage organization page
foreman: XSS in the manage organization page
foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.
Package: foreman (Red Hat Ceph Storage 1.3) - Will not fix
Package: foreman (Red Hat Satellite 6) - Under investigation
No detection rules found.
No public exploits indexed.
http://seclists.org/oss-sec/2017/q3/521http://www.securityfocus.com/bid/99604https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7535https://projects.theforeman.org/issues/20963http://seclists.org/oss-sec/2017/q3/521http://www.securityfocus.com/bid/99604https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7535https://projects.theforeman.org/issues/20963
2018-07-26
Published