CVE-2018-16887 — Vulnetix

CVE-2018-16887 PUBLISHED CVSS 5.400000095367432 MEDIUM

A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.

EPSS 0.35% · 57.3th percentile

Risk Scores

CVSS v3.0

5.400000095367432

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Score

0.35%

57.3th percentile

Affected Products

Vendor	Product	Versions
The Katello Project	katello	3.9.0
RubyGems	katello	0
theforeman	katello	0
redhat	satellite	6.0

Timeline

Jan 13, 2019 CVE Published
May 14, 2019 CVE Updated
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Aug 24, 2021 EPSS Score
Oct 25, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Feb 27, 2022 EPSS Score
May 1, 2022 EPSS Score
Jul 2, 2022 EPSS Score
Sep 4, 2022 EPSS Score
Nov 5, 2022 EPSS Score

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887 url
RHSA-2019:1222 vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2018-16887 advisory
https://github.com/Katello/katello package
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2018-16887.yml url

Open in Interactive Console →