obs: Stored XSS
Description
A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Open Build Service allows attackers to inject JavaScript via malformed markdown links, impacting confidentiality and integrity.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Open Build Service front-end. The markdown parser improperly neutralizes user-supplied href values, allowing an attacker to inject arbitrary HTML attributes such as style and onmouseover. This affects all versions prior to 2.10.8 [1].
Exploitation
An attacker with an OBS account can add a malicious comment to any project. The comment contains a crafted markdown link payload that stretches the ` tag to full screen using inline style and triggers JavaScript execution via the onmouseover` attribute. Any user viewing the project page will execute the payload when moving the mouse, which is likely immediately due to the full-screen coverage [1].
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser. This can lead to information disclosure, session hijacking, or other client-side attacks, compromising both confidentiality and integrity of the OBS instance [1].
Mitigation
The vulnerability is fixed in Open Build Service version 2.10.8. Users should upgrade to this version or later. No workarounds are documented [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.10.8
- Range: Open Build Service
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.