Bug 2256831 (CVE-2023-3726)
| Summary: | CVE-2023-3726 ocsinventory-agent: stored XSS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Nick Tait <ntait> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | riehecky |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A cross-site scripting (XSS) vulnerability has been identified in OCSInventory, which could potentially allow a remote attacker to steal sensitive data such as session cookies. It is also possible to steal the password hash if the attacker changes the server state to debug. Exploitation is possible if the target is an administrator which is logged at the time of the attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2256832, 2256833 | ||
| Bug Blocks: | |||
|
Description
Nick Tait
2024-01-04 16:27:07 UTC
Created ocsinventory-agent tracking bugs for this issue: Affects: epel-all [bug 2256832] Affects: fedora-all [bug 2256833] Per https://fluidattacks.com/advisories/creed/ the vulnerability only impacts OCSInventory-ocsreports which is not part of ocsinventory-agent. I don't think there is anything required from the ocsinventory-agent side on this. Okay, that was my unfamiliarity with this package. Sorry for the spam. Please close as not affected. Honestly, I'm pretty happy this happened as it shows more eyes than just mine are looking out :) |