CVE-2017-7538 – 5: organization name allows XSS
https://notcve.org/view.php?id=CVE-2017-7538
A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users. Se ha detectado una vulnerabilidad Cross-Site Scripting (XSS) en la manera en la que se muestra un nombre de organización en Satellite 5 en versiones anteriores a la 5.8. Un usuario capaz de cambiar el nombre de una organización podría explotar esta vulnerabilidad para realizar ataques Cross-Site Scripting (XSS) contra otros usuarios de Satellite. A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5. • http://www.securitytracker.com/id/1039267 https://access.redhat.com/errata/RHSA-2017:2645 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7538 https://access.redhat.com/security/cve/CVE-2017-7538 https://bugzilla.redhat.com/show_bug.cgi?id=1471262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7514 – SAT 5 XSS in the Failed Systems page
https://notcve.org/view.php?id=CVE-2017-7514
A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users. Se ha encontrado un fallo de Cross-Site Scripting (XSS) en la forma en la que la entrada de acción se procesa en Red Hat Satellite en versiones anteriores a la 5.8.0. Un usuario que pueda especificar una acción fallida podría explotar este fallo para realizar ataques XSS contra otros usuarios de Satellite. A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Satellite 5. • https://access.redhat.com/errata/RHSA-2017:1558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7514 https://access.redhat.com/security/cve/CVE-2017-7514 https://bugzilla.redhat.com/show_bug.cgi?id=1458052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2236
https://notcve.org/view.php?id=CVE-2010-2236
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, related to backticks. La consola de sensores de monitorización en spacewalk-java anterior a 2.1.148-1 y Red Hat Network (RHN) Satellite 4.0.0 hasta 4.2.0 y 5.1.0 hasta 5.3.0 y Proxy 5.3.0, permite a usuarios remotos autenticados con permisos para administrar sensores de monitorización ejecutar código arbitrario a través de vectores no especificados, relacionado con backticks. • http://secunia.com/advisories/56952 https://bugzilla.redhat.com/attachment.cgi?id=819987&action=diff https://bugzilla.redhat.com/show_bug.cgi?id=607712 https://git.fedorahosted.org/cgit/spacewalk.git/commit/?id=18c70164285cae0660fa3ac55c6656bb19b3b13f https://git.fedorahosted.org/cgit/spacewalk.git/commit/?id=c41c87a9dc9dac771eb761dd63ada05b2f9104f9 https://www.suse.com/support/update/announcement/2014/suse-su-20140222-1.html • CWE-20: Improper Input Validation •
CVE-2013-4480 – Satellite: Interface to create the initial administrator user remains open after installation
https://notcve.org/view.php?id=CVE-2013-4480
Red Hat Satellite 5.6 and earlier does not disable the web interface that is used to create the first user for a satellite, which allows remote attackers to create administrator accounts. Red Hat Satellite 5.6 y anteriores versiones no deshabilita la interfaz web que es usada para crear el primer usuario para un satellite, lo que permite a atacantes remotos crear cuentas de administrador. • http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00009.html http://rhn.redhat.com/errata/RHSA-2013-1513.html http://rhn.redhat.com/errata/RHSA-2013-1514.html https://access.redhat.com/site/articles/539283 https://bugzilla.redhat.com/show_bug.cgi?id=1024614 https://access.redhat.com/security/cve/CVE-2013-4480 • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •
CVE-2008-2369 – Satellite: information disclosure via manzier.pxt RPC script
https://notcve.org/view.php?id=CVE-2008-2369
manzier.pxt in Red Hat Network Satellite Server before 5.1.1 has a hard-coded authentication key, which allows remote attackers to connect to the server and obtain sensitive information about user accounts and entitlements. manzier.pxt en Red Hat Network Satellite Server en versiones anteriores a la 5.1.1 tiene una clave de autenticación fijada en codigo ("Hard-coded"), que permite a atacantes remotos conectarse al servidor y obtener información sensible sobre cuentas de usuario y derechos. • http://rhn.redhat.com/errata/RHSA-2008-0630.html http://secunia.com/advisories/31493 http://securitytracker.com/id?1020694 http://www.securityfocus.com/bid/30679 https://exchange.xforce.ibmcloud.com/vulnerabilities/44452 https://access.redhat.com/security/cve/CVE-2008-2369 https://bugzilla.redhat.com/show_bug.cgi?id=452461 • CWE-798: Use of Hard-coded Credentials •