CVE-2017-15125
cloudforms: XSS in self-service UI snapshot feature
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
Se ha encontrado un fallo en CloudForms en versiones anteriores a la 5.9.0.22 en la función de instantánea de la interfaz de usuario de autoservicio, donde el campo de nombre no está correctamente saneado para la entrada de código HTML y JavaScript. Un atacante podría aprovechar este fallo para ejecutar un ataque de Cross-Site Scripting (XSS) persistente en un administrador de aplicaciones que emplee CloudForms. Nótese que el CSP (Content Security Policy) evita la explotación de este Cross-Site Scripting (XSS). Sin embargo, no todos los navegadores soportan CSP.
A flaw was found in CloudForms in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-08 CVE Reserved
- 2018-03-01 CVE Published
- 2023-07-21 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/102287 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2018:0380 | 2019-10-09 | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15125 | 2019-10-09 | |
https://access.redhat.com/security/cve/CVE-2017-15125 | 2018-03-01 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1517396 | 2018-03-01 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Cloudforms Management Engine Search vendor "Redhat" for product "Cloudforms Management Engine" | < 5.9.0.22 Search vendor "Redhat" for product "Cloudforms Management Engine" and version " < 5.9.0.22" | - |
Affected
|