CVE-2018-16887

CWE-79 — Cross-site Scripting (XSS)6 documents6 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 42.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Katello THE Katello Project Katello Redhat Satellite

Timeline

PublishedJan 13

Latest updateMay 14

Description

A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶RubyGemskatello< 3.9.0

▶NVDtheforeman/katello< 3.9.0

▶NVDredhat/satellite6.0

▶CVEListV5the_katello_project/katello3.9.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

katello Cross-site Scripting vulnerability↗2022-05-14

▶

OSV

katello Cross-site Scripting vulnerability↗2022-05-14

▶

CVEList

CVE-2018-16887: A cross-site scripting (XSS) flaw was found in the katello component of Satellite↗2019-01-13

▶

📋Vendor Advisories

Red Hat

katello: stored XSS in subscriptions and repositories pages↗2018-10-11

▶

💬Community

Bugzilla

CVE-2018-16887 katello: stored XSS in subscriptions and repositories pages↗2018-11-01

▶