Vulnerability Description
It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Theforeman | Foreman | < 1.13.0 |
| Redhat | Satellite | 6.3 |
| Redhat | Satellite Capsule | 6.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/94263Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:0336Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639Issue TrackingThird Party Advisory
- https://github.com/theforeman/foreman/pull/3523Third Party Advisory
- https://projects.theforeman.org/issues/15037Vendor Advisory
- http://www.securityfocus.com/bid/94263Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:0336Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639Issue TrackingThird Party Advisory
- https://github.com/theforeman/foreman/pull/3523Third Party Advisory
- https://projects.theforeman.org/issues/15037Vendor Advisory
FAQ
What is CVE-2016-8639?
CVE-2016-8639 is a vulnerability with a CVSS score of 6.1 (MEDIUM). It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to dis...
How severe is CVE-2016-8639?
CVE-2016-8639 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-8639?
Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Foreman, Redhat Satellite, Redhat Satellite Capsule.