Bug 1346217 (CVE-2016-6209)
Summary: | CVE-2016-6209 nagios: Reflected XSS vulnerability and possible phishing vector | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aavati, abaron, affix, apevec, avibelli, ayoung, chrisw, cvsbot-xmlrpc, gsterlin, jbalunas, jose.p.oliveira.oss, jschluet, jshepherd, kbasil, lhh, lpeer, markmc, mmagr, ondrejj, rbryant, rcyriac, redhat, rfortier, rhs-bugs, rrajasek, sclewis, sgirijan, sisharma, srevivo, ssaha, s, swilkerson, tdecacqu, tkirby, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A user supplied GET parameter is used to create the value used as the src value of an iframe displayed on all pages. It allows for CSRF and javascript insertion techniques among others.
An attacker could forge a malicious URL that could include javascript execution in the main browser frame context, force the target to view a malicious web page (client side) or take advantage of concurrent cookies / sessions and perform a CSRF attack against other openstack components such as horizon.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:54:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1352658, 1352659, 1352660, 1352661, 1377884 | ||
Bug Blocks: | 1346219, 1369651 |
Description
Adam Mariš
2016-06-14 09:58:59 UTC
Created nagios tracking bugs for this issue: Affects: fedora-all [bug 1377884] |