CVE-2017-15100 Information

Description

An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page when clicking on the \chart\ button and hovering over the chart; (2) Trends page when checking the graph for a trend based on a such fact; (3) Statistics page for facts that are aggregated on this page.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://projects.theforeman.org/issues/21519 https://access.redhat.com/errata/RHSA-2018:2927 https://github.com/theforeman/foreman/pull/4967

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1