CVE-2018-1000225
Description
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cobbler's XMLRPC API allows unauthenticated XSS injection via the _new_event method, leading to stored cross-site scripting and potential admin privilege escalation.
Vulnerability
Cobbler versions 2.6.11 and later (possibly as early as 2.0.0) contain a stored cross-site scripting (XSS) vulnerability in cobbler-web. The XMLRPC API at /cobbler_api exposes internal methods, including _new_event, which accepts arbitrary data without sanitization. This data is later rendered in the web UI without escaping, allowing injection of JavaScript payloads [1][2][4].
Exploitation
An unauthenticated attacker with network access to the Cobbler server can send a crafted XMLRPC request to the _new_event method containing a JavaScript payload. The payload is stored and executed when an administrator or any user visits the events page in cobbler-web [1][4]. No authentication or user interaction beyond viewing the events page is required.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator's session. This can lead to session hijacking, privilege escalation to admin, and potential full compromise of the Cobbler server and managed infrastructure [1][2][4].
Mitigation
No official patch has been released as of the publication date. As a workaround, restrict network access to the /cobbler_api endpoint using a firewall to allow only trusted clients [1]. Administrators should monitor for updates from the Cobbler project [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cobblerPyPI | <= 2.6.11 | — |
Affected products
12- ghsa-coords12 versionspkg:pypi/cobblerpkg:rpm/opensuse/cobbler&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/cobbler&distro=openSUSE%20Tumbleweedpkg:rpm/suse/cobbler&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.0pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.1pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/cobbler&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/cobbler&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%203.1pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%203.1
<= 2.6.11+ 11 more
- (no CPE)range: <= 2.6.11
- (no CPE)range: < 3.1.2-lp152.6.3.1
- (no CPE)range: < 3.2.1.336+git.5639a3af-1.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 2.6.6-5.17.1
- (no CPE)range: < 2.6.6-6.7.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 3.1.2-bp152.4.3.1
- (no CPE)range: < 3.1.8-5.38.1
- (no CPE)range: < 3.1.8-0.15.29.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-q9g5-98pm-w6q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000225ghsaADVISORY
- github.com/cobbler/cobbler/blob/master/cobbler/remote.pyghsaWEB
- github.com/cobbler/cobbler/issues/1917ghsax_refsource_CONFIRMWEB
- movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-apighsaWEB
- movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.