CVE-2021-3529 — Cross-site Scripting in Redhat Noobaa-operator

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 54.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Noobaa-operator Redhat Openshift Container Platform

Timeline

PublishedJun 2

Latest updateMay 24

Description

A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.7

Affected Packages1 packages

▶NVDredhat/noobaa-operator< 5.7.0

Also affects: Openshift Container Platform 4.0

🔴Vulnerability Details

GHSA

GHSA-cr32-cm8v-9pww: A flaw was found in noobaa-core in versions before 5↗2022-05-24

▶

CVEList

CVE-2021-3529: A flaw was found in noobaa-core in versions before 5↗2021-06-02

▶

📋Vendor Advisories

Red Hat

noobaa-core: Cross-site scripting vulnerability with noobaa management URL↗2021-04-16

▶