CVE-2014-8163
https://notcve.org/view.php?id=CVE-2014-8163
Directory traversal vulnerability in the XMLRPC interface in Red Hat Satellite 5. Existe una vulnerabilidad de salto de directorio en la interfaz XMLRPC en Red Hat Satellite 5. • https://access.redhat.com/security/cve/cve-2014-8163 https://bugzilla.redhat.com/show_bug.cgi?id=1187340 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-7514 – SAT 5 XSS in the Failed Systems page
https://notcve.org/view.php?id=CVE-2017-7514
A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users. Se ha encontrado un fallo de Cross-Site Scripting (XSS) en la forma en la que la entrada de acción se procesa en Red Hat Satellite en versiones anteriores a la 5.8.0. Un usuario que pueda especificar una acción fallida podría explotar este fallo para realizar ataques XSS contra otros usuarios de Satellite. A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Satellite 5. • https://access.redhat.com/errata/RHSA-2017:1558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7514 https://access.redhat.com/security/cve/CVE-2017-7514 https://bugzilla.redhat.com/show_bug.cgi?id=1458052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7470 – spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks
https://notcve.org/view.php?id=CVE-2017-7470
It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py. Se ha encontrado que spacewalk-channel puede ser utilizado por un usuario no administrador o por usuarios deshabilitados para realizar tareas administrativas debido a una verificación de autorización incorrecta en backend/servidor/rhnChannel.py. • http://www.securityfocus.com/bid/98569 https://access.redhat.com/errata/RHSA-2017:1259 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7470 https://access.redhat.com/security/cve/CVE-2017-7470 https://bugzilla.redhat.com/show_bug.cgi?id=1439622 • CWE-863: Incorrect Authorization •
CVE-2016-3080 – spacewalk-monitoring: XSS issue in monitoring probe
https://notcve.org/view.php?id=CVE-2016-3080
Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via the (1) RHNMD User or (2) Filesystem parameters, related to display of monitoring probes. Vulnerabilidad de XSS en spacewalk-java en Red Hat Satellite 5.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros (1) RHNMD User o (2) Filesystem, relacionado con la visualización de sondas de monitorización. A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed monitoring probes. An attacker can embed HTML and Javascript in the values for RHNMD User or Filesystem parameters in Satellite, allowing them to inject malicious content into the web page that is then displayed with that probe data. • http://rhn.redhat.com/errata/RHSA-2016-1484.html https://bugzilla.redhat.com/show_bug.cgi?id=1320942 https://access.redhat.com/security/cve/CVE-2016-3080 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-3097 – spacewalk-java: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2016-3097
Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via a group name, related to viewing snapshot data. Vulnerabilidad de XSS en spacewalk-java en Red Hat Satellite 5.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de grupo, relacionado con la visualización de datos snapshot. A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed group names. An attacker can embed HTML and Javascript in the values for group names in Satellite, allowing them to inject malicious content into the web page that is then displayed when viewing the snapshot data. • http://rhn.redhat.com/errata/RHSA-2016-1484.html https://bugzilla.redhat.com/show_bug.cgi?id=1322747 https://access.redhat.com/security/cve/CVE-2016-3097 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •