CVE-2017-15125
A flaw was found in CloudForms in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
Find out more about CVE-2017-15125 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the versions of cfme as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v3 metrics
| CVSS3 Base Score | 6.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| CloudForms Management Engine 5.9 (cfme) | RHSA-2018:0380 | 2018-03-01 |