CVE-2023-0119

MEDIUM 5.4

Foreman: stored cross-site scripting in host tab

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user's session, make requests on behalf of the user, and obtain user credentials.

CWE	CWE-79
Published	Sep 12, 2023
Last Updated	Aug 2, 2024

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Red Hat / Red Hat Satellite 6.13 for RHEL 8

All versions affected

Red Hat / Red Hat Satellite 6.13 for RHEL 8

All versions affected

Red Hat / Red Hat Satellite 6.14 for RHEL 8

All versions affected

Red Hat / Red Hat Satellite 6.14 for RHEL 8

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2023:3387 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:6818 access.redhat.com: https://access.redhat.com/security/cve/CVE-2023-0119 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2159104 projects.theforeman.org: https://projects.theforeman.org/issues/35977

Credits

Red Hat would like to thank Dinko Dimitrov (Onsec.io) for reporting this issue.