CVE-2023-3971

CWE-80 CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.4%

top 39.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Automation Controller Redhat Ansible Automation Platform Redhat Ansible Developer +1 more

Timeline

PublishedOct 4

Description

An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 2.1 | Impact: 5.2

Affected Packages4 packages

▶NVDredhat/ansible_automation_controller< 4.3.11+1

▶NVDredhat/ansible_inside1.1

▶NVDredhat/ansible_developer1.0

▶NVDredhat/ansible_automation_platform2.3, 2.4+1

🔴Vulnerability Details

GHSA

GHSA-p5xq-xr8f-3wj4: An HTML injection flaw was found in Controller in the user interface settings↗2023-10-04

▶

CVEList

Controller: html injection in custom login info↗2023-10-04

▶

📋Vendor Advisories

Red Hat

Controller: Html injection in custom login info↗2023-07-27

▶