CVE-2018-16887
Description
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Satellite's katello component allows attackers with org/location edit privileges to execute scripts via Subscriptions/Repositories wizards.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the katello component of Red Hat Satellite, affecting versions before 3.9.0 [2]. The flaw is located in the Subscriptions and Red Hat Repositories wizards, where an attacker with the privilege to create or edit organizations and locations can inject malicious scripts [2][3].
Exploitation
An attacker must have the ability to create or edit organizations and locations within Satellite. They can then craft malicious input within the Subscriptions or Red Hat Repositories wizards. When other users, including higher-privileged users, access these pages, the injected script executes in the context of their browser session [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to theft of the anti-CSRF token of higher-privileged users. This could enable further attacks such as session hijacking or privilege escalation [2].
Mitigation
The vulnerability is fixed in Red Hat Satellite 6.5, which includes katello version 3.10.0 [1]. Users should upgrade to this or later version. No workarounds are available. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV).
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
katelloRubyGems | < 3.9.0 | 3.9.0 |
Affected products
2- The Katello Project/katellov5Range: 3.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- access.redhat.com/errata/RHSA-2019:1222ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-mhhc-r88h-2qrmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16887ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2018-16887.ymlghsaWEB
News mentions
0No linked articles in our index yet.