Bug 1645190 (CVE-2018-16887)
| Summary: | CVE-2018-16887 katello: stored XSS in subscriptions and repositories pages | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bbuckingham, bcourt, bkearney, cbillett, katello-bugs, mmccune, mrike, ohadlevy, rchan, rcosta, rjerrido, tomckay |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | katello 3.9.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:41:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1662179 | ||
| Bug Blocks: | 1637722 | ||
|
Description
Laura Pardo
2018-11-01 15:19:18 UTC
Acknowledgments: Name: Sanket Jagtap (Red Hat Pune India) Statement: Red Hat Subscription Asset Manager does not support the Organization Change, and therefore is not affected by this flaw. This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222 |