Cross-site Scripting (XSS)

2021-03-1122:57:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

JSON

ceph dashboard is vulnerable to cross-site scripting (XSS) attacks. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks.

CPENameOperatorVersion
ceph:develeq15.2.5-0ubuntu4
ceph:develeq15.2.3-0ubuntu3
ceph:develeq15.2.5-0ubuntu2
ceph:sideq14.2.9-1+b1
ceph:bullseyeeq14.2.9-1+b1
ceph:hirsuteeq15.2.5-0ubuntu4
ceph:hirsuteeq15.2.5-0ubuntu2
cepheq14.2.10__1.el7
cepheq0.80.1__5.el7ost
cepheq12.2.0__0.el7

Name	Operator	Version
ceph:devel	eq	15.2.5-0ubuntu4
ceph:devel	eq	15.2.3-0ubuntu3
ceph:devel	eq	15.2.5-0ubuntu2
ceph:sid	eq	14.2.9-1+b1
ceph:bullseye	eq	14.2.9-1+b1
ceph:hirsute	eq	15.2.5-0ubuntu4
ceph:hirsute	eq	15.2.5-0ubuntu2
ceph	eq	14.2.10__1.el7
ceph	eq	0.80.1__5.el7ost
ceph	eq	12.2.0__0.el7