CVE-2018-14664

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 47.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

[unknown] Foreman Theforeman Foreman

Timeline

PublishedOct 12

Latest updateMay 14

Description

A flaw was found in foreman from versions 1.18. A stored cross-site scripting vulnerability exists due to an improperly escaped HTML code in the breadcrumbs bar. This allows a user with permissions to edit which attribute is used in the breadcrumbs bar to store code that will be executed on the client side.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5[unknown]/foremann/a

▶NVDtheforeman/foreman1.18.0

🔴Vulnerability Details

GHSA

GHSA-5xq8-2vfq-6q92: A flaw was found in foreman from versions 1↗2022-05-14

▶

CVEList

CVE-2018-14664: A flaw was found in foreman from versions 1↗2018-10-12

▶

📋Vendor Advisories

Red Hat

foreman: Persisted XSS on all pages that use breadcrumbs↗2018-10-10

▶

💬Community

Bugzilla

CVE-2018-14664 foreman: Persisted XSS on all pages that use breadcrumbs↗2018-10-10

▶