During the test we found that there are no input validation for user input, and its possible to inject scripts into text box in the following links https://3scale-admin.apps.rhoam-pentest.ofop.p1.openshiftapps.com/site/emails/edit https://3scale-admin.apps.rhoam-pentest.ofop.p1.openshiftapps.com/p/admin/backend_apis/2 The XSS attack is possible only by an authenticated user so the severity is low
Acknowledgments: Name: Siddharth Sharma (Red Hat Product Security), Or Asaf (Red Hat Product Security)
Affected version 2.9.1 GA
*** Bug 1850967 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: 3scale API Management Via RHSA-2021:3851 https://access.redhat.com/errata/RHSA-2021:3851
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3442