CVE-2018-1000225 — Cross-site Scripting in Project Cobbler

CWE-79 — Cross-site Scripting9 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 49.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cobbler Project Cobbler

Timeline

PublishedAug 20

Latest updateNov 13

Description

Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Ubuntucobbler_project/cobbler< 2.4.1-0ubuntu2+esm1

▶PyPIcobbler_project/cobbler2.6.11

🔴Vulnerability Details

OSV

cobbler vulnerabilities↗2023-11-13

▶

OSV

Cobbler XSS Vulnerability↗2022-05-14

▶

GHSA

Cobbler XSS Vulnerability↗2022-05-14

▶

CVEList

CVE-2018-1000225: Cobbler version Verified as present in Cobbler versions 2↗2018-08-20

▶

OSV

CVE-2018-1000225: Cobbler version Verified as present in Cobbler versions 2↗2018-08-20

▶

📋Vendor Advisories

Ubuntu

Cobbler vulnerabilities↗2023-11-13

▶

Red Hat

cobbler: Persistent XSS vulnerability in cobbler-web↗2018-08-02

▶

💬Community

Bugzilla

CVE-2018-1000225 cobbler: Persistent XSS vulnerability in cobbler-web↗2018-08-03

▶