Stored Cross-Site Scripting Vulnerability in CloudForms by Red Hat
CVE-2019-10177

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Cloudforms
Vendor: CVE Published:; 27 June 2019

Summary

A stored cross-site scripting vulnerability exists within the PDF export component of CloudForms versions 5.9 and 5.10. This flaw arises because user input is not adequately sanitized, allowing attackers with minimal privileges to edit compute resources to launch XSS attacks against other users. Such exploitation may lead to the execution of malicious code and the unauthorized extraction of anti-CSRF tokens, potentially compromising the security of higher-privileged users.

Affected Version(s)

CloudForms 5.9, 5.10

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10177

x_refsource_CONFIRM

http://www.securityfocus.com/bid/109065

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 27, 2019
Vulnerability Reserved
Mar 27, 2019