CVE-2017-15100

moderate-risk

Published 2017-11-27

An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page.

Do I need to act?

0.34% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (3)

Satellite

Foreman

Satellite Capsule

Affected Vendors

Theforeman Redhat

References (6)

Issue Tracking http://projects.theforeman.org/issues/21519

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2927

Issue Tracking https://github.com/theforeman/foreman/pull/4967

Issue Tracking http://projects.theforeman.org/issues/21519

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2927

Issue Tracking https://github.com/theforeman/foreman/pull/4967

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 9/34 · Low