Controller: html injection in custom login info

CVE-2023-3971

7.3HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Ansible Automation Platform 2.3 For Rhel 8; Red Hat Ansible Automation Platform 2.3 For Rhel 9; Red Hat Ansible Automation Platform 2.4 For Rhel 8; Red Hat Ansible Automation Platform 2.4 For Rhel 9
Vendor: CVE Published:; 4 October 2023

Badges

👾 Exploit Exists

Summary

An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.

Affected Version(s)

Red Hat Ansible Automation Platform 2.3 for RHEL 8 <= 0:4.3.11-1.el8ap

Red Hat Ansible Automation Platform 2.3 for RHEL 9 <= 0:4.3.11-1.el9ap

Red Hat Ansible Automation Platform 2.4 for RHEL 8 <= 0:4.4.1-1.el8ap

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

👾
Exploit exists.
Sep 17, 2024
Risk change from: 5.4 to: 7.3 - (HIGH)
Apr 25, 2024
Vulnerability published.
Oct 4, 2023
Vulnerability Reserved.
Jul 27, 2023
Reported to Red Hat.
Jul 18, 2023

Collectors

NVD DatabaseMitre Database0 Proof of Concept(s)

Credit

Red Hat would like to thank Kunal Pusdekar (redhat) for reporting this issue.