ID CVE-2016-3079 Type cve Reporter NVD Modified 2016-04-18T14:14:21
Description
Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems/SystemEntitlements.do; (2) the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a (3) snapshot tag or (4) system group in System Set Manager (SSM).
{"references": ["https://github.com/spacewalkproject/spacewalk/commit/982b11c9", "https://bugzilla.redhat.com/show_bug.cgi?id=1320452", "https://github.com/spacewalkproject/spacewalk/commit/7920542f", "https://bugzilla.redhat.com/show_bug.cgi?id=1320444", "https://github.com/spacewalkproject/spacewalk/commit/7b9ff9ad", "https://bugzilla.redhat.com/show_bug.cgi?id=1320940", "https://github.com/spacewalkproject/spacewalk/commit/b6491eba", "http://rhn.redhat.com/errata/RHSA-2016-0590.html"], "modified": "2016-04-18T14:14:21", "title": "CVE-2016-3079", "history": [], "objectVersion": "1.2", "cvelist": ["CVE-2016-3079"], "type": "cve", "assessment": {"href": "", "system": "", "name": ""}, "id": "CVE-2016-3079", "viewCount": 0, "edition": 1, "scanner": [], "reporter": "NVD", "published": "2016-04-14T10:59:08", "lastseen": "2016-12-01T02:16:42", "hashmap": [{"key": "assessment", "hash": "65d5a89e1c9e4fd39cccde5dde742638"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "2361bdbb20cb73874db26835c3218588"}, {"key": "cvelist", "hash": "d3e3c5c7c6fe9dfb6b22e7b39109476c"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "4cd51b8cba5b14906d591be094e41671"}, {"key": "href", "hash": "413f9619e145d305cdb02aae366d64dc"}, {"key": "modified", "hash": "e01abeb4d1b933419226a2e494cb9050"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "de71144d5d417b9df59c589635e08d08"}, {"key": "references", "hash": "6969ee2bbaaa9fb8616cec003dc8229a"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "4eaa72f613b6dfa46cc4fb77d2146b0a"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "cpe": ["cpe:/a:redhat:network_satellite:5.7", "cpe:/a:redhat:spacewalk-java:-"], "hash": "c18e1d259923a254b465298c8f504d116254e8d5d81dc8ad47b4ae21dceaa19a", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3079", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems/SystemEntitlements.do; (2) the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a (3) snapshot tag or (4) system group in System Set Manager (SSM).", "bulletinFamily": "NVD", "enchantments": {"vulnersScore": 4.3}}
{"result": {"nessus": [{"id": "REDHAT-RHSA-2016-0590.NASL", "type": "nessus", "title": "RHEL 6 : spacewalk-java (RHSA-2016:0590)", "description": "An update for spacewalk-java is now available for Red Hat Satellite 5.7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat Satellite is a system management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and the remote management of multiple Linux deployments with a single, centralized tool.\n\nSecurity Fix(es) :\n\n* A cross-site scripting (XSS) flaw was found in how XML data was handled in Red Hat Satellite. A user able to use the XMLRPC API could exploit this flaw to perform XSS attacks against other Satellite users. (CVE-2015-0284)\n\n* Multiple cross-site scripting (XSS) flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2103, CVE-2016-3079)\n\n* Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2104)\n\nRed Hat would like to thank Adam Willard (Raytheon Foreground Security) for reporting CVE-2016-2104. The CVE-2015-0284 and CVE-2016-3079 issues were discovered by Jan Hutar (Red Hat).", "published": "2016-04-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90343", "cvelist": ["CVE-2016-2103", "CVE-2015-0284", "CVE-2016-3079", "CVE-2016-2104"], "lastseen": "2017-10-29T13:40:03"}], "redhat": [{"id": "RHSA-2016:0590", "type": "redhat", "title": "(RHSA-2016:0590) Moderate: spacewalk-java security update", "description": "Red Hat Satellite is a system management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and the remote management of multiple Linux deployments with a single, centralized tool.\n\nSecurity Fix(es):\n\n* A cross-site scripting (XSS) flaw was found in how XML data was handled in Red Hat Satellite. A user able to use the XMLRPC API could exploit this flaw to perform XSS attacks against other Satellite users. (CVE-2015-0284)\n\n* Multiple cross-site scripting (XSS) flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2103, CVE-2016-3079)\n\n* Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2104)\n\nRed Hat would like to thank Adam Willard (Raytheon Foreground Security) for reporting CVE-2016-2104. The CVE-2015-0284 and CVE-2016-3079 issues were discovered by Jan Huta\u0159 (Red Hat).", "published": "2016-04-04T04:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:0590", "cvelist": ["CVE-2016-2103", "CVE-2015-0284", "CVE-2016-3079", "CVE-2016-2104"], "lastseen": "2017-05-17T09:23:45"}]}}