Lucene search

[email protected]NVD:CVE-2024-4812

HistoryJun 05, 2024 - 3:15 p.m.

CVE-2024-4812

2024-06-0515:15:12

CWE-79

[email protected]

web.nvd.nist.gov

katello

foreman

malicious code

javascript

user input

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

Percentile

14.0%

JSON

A flaw was found in the Katello plugin for Foreman, where it is possible to store malicious JavaScript code in the “Description” field of a user. This code can be executed when opening certain pages, for example, Host Collections.

Affected configurations

Nvd

Node

katello_projectkatelloMatch-foreman

redhatsatelliteMatch6.0

VendorProductVersionCPE
katello_projectkatello-cpe:2.3:a:katello_project:katello:-:*:*:*:*:foreman:*:*
redhatsatellite6.0cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
katello_project	katello	-	cpe:2.3:a:katello_project:katello:-:::::foreman::
redhat	satellite	6.0	cpe:2.3:a:redhat:satellite:6.0:::::::*

References

access.redhat.com/security/cve/CVE-2024-4812

bugzilla.redhat.com/show_bug.cgi?id=2280187