CVE-2015-7518

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2015-7518
Multiple cross-site scripting (XSS) vulnerabilities in information popups in Foreman before 1.10.0 allow remote attackers to inject arbitrary web script or HTML via (1) global parameters, (2) smart class parameters, or (3) smart variables in the (a) host or (b) hostgroup edit forms.

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
http://projects.theforeman.org/issues/12611
http://theforeman.org/security.html#2015-7518 Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/12/09/6
https://access.redhat.com/errata/RHSA-2016:0174
Configurations

Configuration 1 (hide)

cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*
History

12 Feb 2023, 23:15

Type Values Removed Values Added
Summary A stored cross-site scripting (XSS) flaw was found in the smart class parameters/variables field. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data. Multiple cross-site scripting (XSS) vulnerabilities in information popups in Foreman before 1.10.0 allow remote attackers to inject arbitrary web script or HTML via (1) global parameters, (2) smart class parameters, or (3) smart variables in the (a) host or (b) hostgroup edit forms.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2015-7518', 'name': 'https://access.redhat.com/security/cve/CVE-2015-7518', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1285728', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1285728', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 21:15

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2015-7518 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1285728 -
Summary Multiple cross-site scripting (XSS) vulnerabilities in information popups in Foreman before 1.10.0 allow remote attackers to inject arbitrary web script or HTML via (1) global parameters, (2) smart class parameters, or (3) smart variables in the (a) host or (b) hostgroup edit forms. A stored cross-site scripting (XSS) flaw was found in the smart class parameters/variables field. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data.
Information

Published : 2015-12-17 19:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-7518

Mitre link : CVE-2015-7518

CVE.ORG link : CVE-2015-7518

JSON object : View

Products Affected

theforeman

  • foreman
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')