CVE-2018-16861

moderate-risk

Published 2018-12-07

A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable.

Do I need to act?

0.39% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.6/10 High

NETWORK / LOW complexity

Affected Products (3)

Foreman

Affected Vendors

Theforeman

References (4)

https://access.redhat.com/errata/RHSA-2019:1222

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16861

https://access.redhat.com/errata/RHSA-2019:1222

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16861

/ 100

moderate-risk

Severity 27/34 · High

Exploitability 1/34 · Minimal

Exposure 9/34 · Low