Lucene search

GitHub_MVULNRICHMENT:CVE-2024-36110

HistoryMay 28, 2024 - 6:33 p.m.

CVE-2024-36110 Cross-site scripting in ansibleguy-webui

2024-05-2818:33:56

CWE-79

GitHub_M

github.com

cve-2024-36110

cross-site scripting

ansible

webui

html injection

browser evaluation

version upgrade

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions < 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on pypi). Users are advised to upgrade. There are no known workarounds for these issues.

CNA Affected

[
  {
    "vendor": "ansibleguy",
    "product": "webui",
    "versions": [
      {
        "version": "< 0.0.21",
        "status": "affected"
      }
    ]
  }
]

References

github.com/ansibleguy/webui/commit/7737b47e7f7ddbfec7b1418c724598363718d522

github.com/ansibleguy/webui/files/15358522/Report.pdf

github.com/ansibleguy/webui/issues/44

github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj