CVE-2019-11651
published 2019-10-02CVE-2019-11651: Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3.0 Patch Update 20, version 4.0 Patch Update 12, and…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.78%
51.5th percentile
Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3.0 Patch Update 20, version 4.0 Patch Update 12, and version 5.0 Patch Update 2. The vulnerability could be exploited to redirect a user to a malicious page or forge certain types of web requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microfocus | enterprise_developer | — | — |
| microfocus | enterprise_developer | — | — |
| microfocus | enterprise_developer | — | — |
| microfocus | enterprise_server | — | — |
| microfocus | enterprise_server | — | — |
| microfocus | enterprise_server | — | — |
| saltstack | salt | >= 0 < 2019.2.4 | 2019.2.4 |
| saltstack | salt | >= 3000 < 3000.2 | 3000.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wjg5-m2j8-r4h6: Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3
ghsa_unreviewed·2022-05-24
CVE-2019-11651 [MEDIUM] CWE-79 GHSA-wjg5-m2j8-r4h6: Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3
Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3.0 Patch Update 20, version 4.0 Patch Update 12, and version 5.0 Patch Update 2. The vulnerability could be exploited to redirect a user to a malicious page or forge certain types of web requests.
GHSA
SaltStack Salt Unauthenticated Remote Code Execution
ghsa·2022-05-24
CVE-2020-11651 [CRITICAL] CWE-20 SaltStack Salt Unauthenticated Remote Code Execution
SaltStack Salt Unauthenticated Remote Code Execution
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Red Hat
salt: salt-master process ClearFuncs class does not properly validate method calls
vendor_redhat·2020-04-29·CVSS 9.8
CVE-2020-11651 [CRITICAL] CWE-20 salt: salt-master process ClearFuncs class does not properly validate method calls
salt: salt-master process ClearFuncs class does not properly validate method calls
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
An authentication bypass vulnerability was found in Salt, where it is susceptible to arbitrary code execution when processing unauthenticated requests by the ClearFuncs class. This flaw allows an attacker to execute arbitrary code on Salt minions as root.
Statement: Red Hat Ceph Storage 2 shipped salt for the usage of Red Hat Storage Console 2(RHSCON-2), wh
No detection rules found.
2019-10-02
Published