CVE-2017-7554

RHMAP: Stored XSS in App Store

Severity Score

6.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

It was found that the App Studio component of RHMAP 4.4 executes javascript provided by a user. An attacker could use this flaw to execute a stored XSS attack on an application administrator using App Studio.

Se ha descubierto que el componente App Studio de RHMAP 4.4 ejecuta código JavaScript proporcionado por el usuario. Un atacante podría aprovechar este fallo para ejecutar un ataque de Cross-Site Scripting (XSS) persistente en un administrador de aplicaciones que emplee App Studio.

A flaw was found where the App Studio component of RHMAP 4.4 executes javascript provided by a user. An attacker could use this flaw to execute a stored XSS attack on an application administrator using App Studio.

Red Hat Mobile Application Platform 4.5 consists of three main components: Core - development and management of apps occurs in the RHMAP Core, which can be installed either in an on-premise installation of OpenShift Container Platform 3.x. MBaaS - Application data, runtimes, and integrations are deployed to the RHMAP MBaaS installed on OpenShift Container Platform 3.x. Build Farm - deployed separately from the Core and the MBaaS, the Build Farm is shared between all instances of RHMAP. Third-party Linux, Windows, and Apple server hosting providers are used to support building client app binaries for all platforms.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-05 CVE Reserved
2017-09-18 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=1478770	2017-09-18

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:2674	2017-12-31
https://access.redhat.com/errata/RHSA-2017:2675	2017-12-31
https://access.redhat.com/security/cve/CVE-2017-7554	2017-09-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Mobile Application Platform Search vendor "Redhat" for product "Mobile Application Platform"				4.4 Search vendor "Redhat" for product "Mobile Application Platform" and version "4.4"		-		Affected