CVE-2011-4346

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Red Hat Network Satellite 5.4.1 web interface. The Description field on the 'Custom Info' page (under 'System Details' > 'Details') does not properly sanitize user input, allowing injection of arbitrary web script or HTML via the asset tag's Description field. The flaw is located in the CustomInfo.pm module, specifically in the code that processes and displays custom system information keys [1]. Affected versions include RHN Satellite 5.4.1 and likely earlier versions that use the same code path.

Exploitation

An authenticated RHN Satellite user can craft a value for the Custom System Info key's Description field containing malicious HTML or JavaScript. When other users view the custom info page, the injected script executes in their browser. The attacker needs valid credentials but no special privileges, as any authenticated user can create custom info entries [1][2]. No special network position is required; the attacker accesses the web interface normally.

Impact

Successful exploitation allows the attacker to execute arbitrary HTML or JavaScript in the context of the victim's browser session, leading to session hijacking, defacement, or redirection to malicious sites. The impact is limited to the web interface and does not affect the underlying satellite system. The attacker's code runs in the security context of the authenticated victim user, potentially allowing further actions within the Satellite's web application [1].

Mitigation

Red Hat released an update via RHSA-2011:1794 on December 5, 2011, which patches the vulnerability by adding proper HTML escaping in the CustomInfo.pm module [1][2]. Systems should be updated to the fixed package version 5.4.1-2 or later. No workaround is documented if the patch cannot be applied. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog.