CVE-2014-8162 – Satellite5: RPC API XML External Entities file disclosure
https://notcve.org/view.php?id=CVE-2014-8162
XML external entity (XXE) in the RPC interface in Spacewalk and Red Hat Network (RHN) Satellite 5.7 and earlier allows remote attackers to read arbitrary files and possibly have other unspecified impact via unknown vectors. Vulnerabilidad de entidad externa XML (XXE) en la interfaz RPC en Spacewalk y Red Hat Network (RHN) Satellite 5.7 y anteriores permite a atacantes remotos leer archivos arbitrarios y posiblemente tener otro impacto no especificado a través de vectores desconocidos. It was found that the RPC interface in Satellite would resolve external entities, allowing an attacker to conduct XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the Satellite server, and potentially perform other more advanced XXE attacks. • http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00020.html http://rhn.redhat.com/errata/RHSA-2015-0957.html http://www.securityfocus.com/bid/74595 https://access.redhat.com/security/cve/CVE-2014-8162 https://bugzilla.redhat.com/show_bug.cgi?id=1187339 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2014-7811 – Spacewalk: multiple XSS
https://notcve.org/view.php?id=CVE-2014-7811
Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allow remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the REST API. Múltiples vulnerabilidades de XSS en Spacewalk y Red Hat Network (RHN) Satellite anterior a 5.7.0 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de datos XML manipulados en la API REST. • http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00020.html http://rhn.redhat.com/errata/RHSA-2015-0033.html http://secunia.com/advisories/62183 https://access.redhat.com/security/cve/CVE-2014-7811 https://bugzilla.redhat.com/show_bug.cgi?id=1156299 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4480 – Satellite: Interface to create the initial administrator user remains open after installation
https://notcve.org/view.php?id=CVE-2013-4480
Red Hat Satellite 5.6 and earlier does not disable the web interface that is used to create the first user for a satellite, which allows remote attackers to create administrator accounts. Red Hat Satellite 5.6 y anteriores versiones no deshabilita la interfaz web que es usada para crear el primer usuario para un satellite, lo que permite a atacantes remotos crear cuentas de administrador. • http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00009.html http://rhn.redhat.com/errata/RHSA-2013-1513.html http://rhn.redhat.com/errata/RHSA-2013-1514.html https://access.redhat.com/site/articles/539283 https://bugzilla.redhat.com/show_bug.cgi?id=1024614 https://access.redhat.com/security/cve/CVE-2013-4480 • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •
CVE-2007-5961 – RHN XSS flaw
https://notcve.org/view.php?id=CVE-2007-5961
Cross-site scripting (XSS) vulnerability in the Red Hat Network channel search feature, as used in RHN and Red Hat Network Satellite before 5.0.2, allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en la característica de búsqueda de canal en Red Hat Network, como las usadas en RHN y Red Hat Network Satelite anteriores a 5.0.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de vectores desconocidos. • http://osvdb.org/45765 http://www.redhat.com/support/errata/RHSA-2008-0261.html http://www.securitytracker.com/id?1020051 https://bugzilla.redhat.com/show_bug.cgi?id=396641 https://exchange.xforce.ibmcloud.com/vulnerabilities/42559 https://access.redhat.com/security/cve/CVE-2007-5961 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •