CVE-2018-1000225

Impact:
Important
Public Date:
2018-08-02
CWE:
CWE-79
Bugzilla:
1612105: CVE-2018-1000225 cobbler: Persistent XSS vulnerability in cobbler-web

The MITRE CVE dictionary describes this issue as:

Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).

Find out more about CVE-2018-1000225 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of cobbler as shipped with Red Hat Satellite 5 as it does not ship cobbler-web.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 9.6
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Satellite 5 cobbler Not affected

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.