Controller: html injection in custom login info
CVE-2023-3971

7.3HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Ansible Automation Platform 2.3 For Rhel 8; Red Hat Ansible Automation Platform 2.3 For Rhel 9; Red Hat Ansible Automation Platform 2.4 For Rhel 8; Red Hat Ansible Automation Platform 2.4 For Rhel 9
Vendor: CVE Published:; 4 October 2023

🔔 Create Red Hat Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2023-3971?

An HTML injection vulnerability exists in the user interface settings of Red Hat Controller, which allows attackers to inject malicious HTML code. This can lead to the creation of custom login pages designed to capture user credentials. As a result, attackers may gain unauthorized access to sensitive information by tricking users into entering their credentials on these fraudulent pages.

Affected Version(s)

Red Hat Ansible Automation Platform 2.3 for RHEL 8 0:4.3.11-1.el8ap

Red Hat Ansible Automation Platform 2.3 for RHEL 9 0:4.3.11-1.el9ap

Red Hat Ansible Automation Platform 2.4 for RHEL 8 0:4.4.1-1.el8ap

References

https://access.redhat.com/errata/RHSA-2023:4340

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:4590

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/security/cve/CVE-2023-3971

vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 20, 2023
👾
Exploit known to exist
Oct 20, 2023
Vulnerability published
Oct 4, 2023
Vulnerability Reserved
Jul 27, 2023

Credit

Red Hat would like to thank Kunal Pusdekar (redhat) for reporting this issue.

.