CVE-2022-43754

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 52.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Suse Linux Enterprise Module FOR Suse Manager Server 4.2 Suse Suse Linux Enterprise Module FOR Suse Manager Server 4.3 Suse Suse Manager Server 4.2 +2 more

Timeline

PublishedNov 10

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to embed Javascript code via /rhn/audit/scap/Search.do This issue affects: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-f…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5suse/suse_linux_enterprise_module_for_suse_manager_server_4.2hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-formula-0.3-150300.3.3.2, py27-compat-salt-3000.3-150300.7.7.26.2, python-urlgrabber-3.10.2.1py2_3-150300.3.3.2, spacecmd-4.2.20-150300.4.30.2, spacewalk-backend-4.2.25-150300.4.32.4, spacewalk-client-tools-4.2.21-150300.4.27.3, spacewalk-java-4.2.43-150300.3.48.2, spacewalk-utils-4.2.18-150300.3.21.2, spacewalk-web-4.2.30-150300.3.30.3, susemanager-4.2.38-150300.3.44.3, susemanager-doc-indexes-4.2-150300.12.36.3, susemanager-docs_en-4.2-150300.12.36.2, susemanager-schema-4.2.25-150300.3.30.3, susemanager-sls — 4.2.28

▶CVEListV5suse/suse_linux_enterprise_module_for_suse_manager_server_4.3spacewalk-java — 4.3.39

▶CVEListV5suse/suse_manager_server_4.2release-notes-susemanager — 4.2.10

▶NVDsuse/manager_server4.2 — 4.2.10+1

▶NVDuyuni-project/uyuni< 2022.10

🔴Vulnerability Details

GHSA

GHSA-vjvm-4cfh-7m4p: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Modu↗2022-11-10

▶

CVEList

SUMA/UYUNI reflected cross site scripting in /rhn/audit/scap/Search.do↗2022-11-10

▶

External resources

NVD MITRE

Affected products5

Suse Manager Server≥ 4.2, < 4.2.10≥ 4.3, < 4.3.2

Suse Suse Linux Enterprise Module FOR Suse Manager Server 4.2≥ hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-formula-0.3-150300.3.3.2, py27-compat-salt-3000.3-150300.7.7.26.2, python-urlgrabber-3.10.2.1py2_3-150300.3.3.2, spacecmd-4.2.20-150300.4.30.2, spacewalk-backend-4.2.25-150300.4.32.4, spacewalk-client-tools-4.2.21-150300.4.27.3, spacewalk-java-4.2.43-150300.3.48.2, spacewalk-utils-4.2.18-150300.3.21.2, spacewalk-web-4.2.30-150300.3.30.3, susemanager-4.2.38-150300.3.44.3, susemanager-doc-indexes-4.2-150300.12.36.3, susemanager-docs_en-4.2-150300.12.36.2, susemanager-schema-4.2.25-150300.3.30.3, susemanager-sls, < 4.2.28

Suse Suse Linux Enterprise Module FOR Suse Manager Server 4.3≥ spacewalk-java, < 4.3.39

Suse Suse Manager Server 4.2≥ release-notes-susemanager, < 4.2.10

Uyuni-project Uyunifixed in 2022.10

Disclosure

PublishedNov 10, 2022