CVE-2017-7538 – 5: organization name allows XSS
https://notcve.org/view.php?id=CVE-2017-7538
A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users. Se ha detectado una vulnerabilidad Cross-Site Scripting (XSS) en la manera en la que se muestra un nombre de organización en Satellite 5 en versiones anteriores a la 5.8. Un usuario capaz de cambiar el nombre de una organización podría explotar esta vulnerabilidad para realizar ataques Cross-Site Scripting (XSS) contra otros usuarios de Satellite. A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5. • http://www.securitytracker.com/id/1039267 https://access.redhat.com/errata/RHSA-2017:2645 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7538 https://access.redhat.com/security/cve/CVE-2017-7538 https://bugzilla.redhat.com/show_bug.cgi?id=1471262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7514 – SAT 5 XSS in the Failed Systems page
https://notcve.org/view.php?id=CVE-2017-7514
A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users. Se ha encontrado un fallo de Cross-Site Scripting (XSS) en la forma en la que la entrada de acción se procesa en Red Hat Satellite en versiones anteriores a la 5.8.0. Un usuario que pueda especificar una acción fallida podría explotar este fallo para realizar ataques XSS contra otros usuarios de Satellite. A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Satellite 5. • https://access.redhat.com/errata/RHSA-2017:1558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7514 https://access.redhat.com/security/cve/CVE-2017-7514 https://bugzilla.redhat.com/show_bug.cgi?id=1458052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3654 – Satellite: Spacewalk contains multiple XSS (stored and reflected)
https://notcve.org/view.php?id=CVE-2014-3654
Multiple cross-site scripting (XSS) vulnerabilities in spacewalk-java 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.5 and 5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) kickstart/cobbler/CustomSnippetList.do, (2) channels/software/Entitlements.do, or (3) admin/multiorg/OrgUsers.do. Múltiples vulnerabilidades de XSS en spacewalk-java 2.0.2 en Spacewalk and Red Hat Network (RHN) Satellite 5.5 y 5.6 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados en (1) kickstart/cobbler/CustomSnippetList.do, (2) channels/software/Entitlements.do, o (3) admin/multiorg/OrgUsers.do. Stored and reflected cross-site scripting (XSS) flaws were found in the way spacewalk-java displayed certain information. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data. • http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00010.html http://rhn.redhat.com/errata/RHSA-2014-1762.html http://secunia.com/advisories/60976 http://secunia.com/advisories/62027 https://access.redhat.com/security/cve/CVE-2014-3654 https://bugzilla.redhat.com/show_bug.cgi?id=1144628 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3595 – Satellite: Spacewalk contains XSS in log file view
https://notcve.org/view.php?id=CVE-2014-3595
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging. Vulnerabilidad de XSS en spacewalk-java 1.2.39, 1.7.54, y 2.0.2 en Spacewalk y Red Hat Network (RHN) Satellite 5.4 hasta 5.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una petición modificada que no es manejada adecuadamente cuando se accede. A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed log files. By sending a specially crafted request to Satellite, a remote attacker could embed HTML content into the log file, allowing them to inject malicious content into the web page that is used to view that log file. • http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00009.html http://rhn.redhat.com/errata/RHSA-2014-1184.html http://secunia.com/advisories/61115 http://secunia.com/advisories/62027 https://access.redhat.com/security/cve/CVE-2014-3595 https://bugzilla.redhat.com/show_bug.cgi?id=1129821 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4480 – Satellite: Interface to create the initial administrator user remains open after installation
https://notcve.org/view.php?id=CVE-2013-4480
Red Hat Satellite 5.6 and earlier does not disable the web interface that is used to create the first user for a satellite, which allows remote attackers to create administrator accounts. Red Hat Satellite 5.6 y anteriores versiones no deshabilita la interfaz web que es usada para crear el primer usuario para un satellite, lo que permite a atacantes remotos crear cuentas de administrador. • http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00009.html http://rhn.redhat.com/errata/RHSA-2013-1513.html http://rhn.redhat.com/errata/RHSA-2013-1514.html https://access.redhat.com/site/articles/539283 https://bugzilla.redhat.com/show_bug.cgi?id=1024614 https://access.redhat.com/security/cve/CVE-2013-4480 • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •