CVE-2014-3654

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-3654
Multiple cross-site scripting (XSS) vulnerabilities in spacewalk-java 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.5 and 5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) kickstart/cobbler/CustomSnippetList.do, (2) channels/software/Entitlements.do, or (3) admin/multiorg/OrgUsers.do.

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00009.html Mailing List Patch Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00010.html Mailing List Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-1762.html Vendor Advisory
http://secunia.com/advisories/60976 Third Party Advisory
http://secunia.com/advisories/62027 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:satellite:5.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:satellite:5.6:*:*:*:*:*:*:*
cpe:2.3:a:redhat:satellite_with_embedded_oracle:5.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:spacewalk-java:2.0.2:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:suse:manager_server:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:a:suse:manager:1.7:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp2:*:*:*:*:*:*
History

13 Feb 2023, 00:41

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:1762', 'name': 'https://access.redhat.com/errata/RHSA-2014:1762', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1144628', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1144628', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/security/cve/CVE-2014-3654', 'name': 'https://access.redhat.com/security/cve/CVE-2014-3654', 'tags': [], 'refsource': 'MISC'}
Summary Stored and reflected cross-site scripting (XSS) flaws were found in the way spacewalk-java displayed certain information. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data. Multiple cross-site scripting (XSS) vulnerabilities in spacewalk-java 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.5 and 5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) kickstart/cobbler/CustomSnippetList.do, (2) channels/software/Entitlements.do, or (3) admin/multiorg/OrgUsers.do.

02 Feb 2023, 16:15

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/errata/RHSA-2014:1762 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1144628 -
  • (MISC) https://access.redhat.com/security/cve/CVE-2014-3654 -
Summary Multiple cross-site scripting (XSS) vulnerabilities in spacewalk-java 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.5 and 5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) kickstart/cobbler/CustomSnippetList.do, (2) channels/software/Entitlements.do, or (3) admin/multiorg/OrgUsers.do. Stored and reflected cross-site scripting (XSS) flaws were found in the way spacewalk-java displayed certain information. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data.

25 Feb 2022, 19:16

Type Values Removed Values Added
First Time Suse
Redhat satellite With Embedded Oracle
Suse manager
Suse manager Server
Suse suse Linux Enterprise Server
CPE cpe:2.3:a:suse:manager_server:-:*:*:*:*:*:*:*
cpe:2.3:a:suse:manager:1.7:*:*:*:*:*:*:*
cpe:2.3:a:redhat:satellite_with_embedded_oracle:5.5:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp2:*:*:*:*:*:*
References (SECUNIA) http://secunia.com/advisories/60976 - (SECUNIA) http://secunia.com/advisories/60976 - Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00010.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00010.html - Mailing List, Patch, Vendor Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00009.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00009.html - Mailing List, Patch, Vendor Advisory
References (SECUNIA) http://secunia.com/advisories/62027 - (SECUNIA) http://secunia.com/advisories/62027 - Third Party Advisory

03 Feb 2022, 16:26

Type Values Removed Values Added
CPE cpe:2.3:a:redhat:network_satellite:5.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:network_satellite:5.6:*:*:*:*:*:*:*		 cpe:2.3:a:redhat:satellite:5.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:satellite:5.6:*:*:*:*:*:*:*
First Time Redhat satellite
Information

Published : 2014-11-03 16:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-3654

Mitre link : CVE-2014-3654

CVE.ORG link : CVE-2014-3654

JSON object : View

Products Affected

redhat

  • spacewalk-java
  • satellite_with_embedded_oracle
  • satellite

suse

  • manager_server
  • suse_linux_enterprise_server
  • manager
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')