Controller: html injection in custom login info
Description
HTML injection in Red Hat Ansible Automation Platform Controller's custom login page allows credential theft and full compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HTML injection in Red Hat Ansible Automation Platform Controller's custom login page allows credential theft and full compromise.
Vulnerability
An HTML injection vulnerability exists in the user interface settings of Red Hat Ansible Automation Platform Controller. The flaw allows an attacker to inject arbitrary HTML into the custom login page configuration. Affected versions include Red Hat Ansible Automation Platform 2.3 and 2.4 for RHEL 8 and RHEL 9 [1][2][3][4].
Exploitation
An attacker with administrative access to the Controller's UI settings can inject malicious HTML into the custom login page. When a user visits the login page, the injected HTML is rendered, potentially displaying a fake login form that captures credentials. No user interaction beyond visiting the page is required for the injected content to be served.
Impact
Successful exploitation allows an attacker to capture credentials of users logging into the Controller. This can lead to complete compromise of the Ansible Automation Platform instance, as the attacker gains administrative access to manage automation, credentials, and infrastructure.
Mitigation
The vulnerability is fixed in Red Hat Ansible Automation Platform 2.3 and 2.4 via RHSA-2023:4590 and RHSA-2023:4340 respectively [1][3][4]. Users should update to the latest patched versions. No workarounds are documented; updating is the recommended mitigation.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:/a:redhat:ansible_automation_platform:2.4::el8+ 1 more
- cpe:/a:redhat:ansible_automation_platform:2.4::el8range: 0:4.4.1-1.el9ap
- cpe:/a:redhat:ansible_automation_platform_developer:2.3::el9range: 0:4.3.11-1.el9ap
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- access.redhat.com/errata/RHSA-2023:4340mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2023:4590mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2023-3971mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.