Vulnerability Description
A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Theforeman | Foreman | < 1.18.3 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:1222
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16861Issue TrackingPatchThird Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1222
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16861Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2018-16861?
CVE-2018-16861 is a vulnerability with a CVSS score of 7.6 (HIGH). A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to...
How severe is CVE-2018-16861?
CVE-2018-16861 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-16861?
Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Foreman.