Cross-Site Scripting Vulnerability in Cloudera Manager by Cloudera
CVE-2018-15913

6.1MEDIUM

Key Information:

Vendor: Cloudera
Status: Cloudera Manager
Vendor: CVE Published:; 20 June 2019

What is CVE-2018-15913?

A security flaw in Cloudera Manager versions 5.x through 5.15.0 allows an attacker to exploit the 'returnUrl' parameter. Lack of validation on this parameter enables potential redirection to malicious external sites or execution of harmful JavaScript, posing significant risks to users. This vulnerability was addressed by restricting the 'returnUrl' parameter to disallow certain patterns (e.g., http://, https://, //, or javascript), while specifically permitting SAML Login/Logout URLs that are intentionally configured.

References

https://www.cloudera.com/documentation/other/security-bul...

x_refsource_MISC

https://www.cloudera.com/documentation/other/security-bul...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2019
Vulnerability Reserved
Aug 28, 2018