Moderate severityNVD Advisory· Published Jan 13, 2019· Updated Aug 5, 2024
CVE-2018-16887
CVE-2018-16887
Description
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
katelloRubyGems | < 3.9.0 | 3.9.0 |
Affected products
2- The Katello Project/katellov5Range: 3.9.0
Patches
Vulnerability mechanics
References
5- access.redhat.com/errata/RHSA-2019:1222ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-mhhc-r88h-2qrmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16887ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2018-16887.ymlghsaWEB
News mentions
0No linked articles in our index yet.