CVE-2017-15125
Last modified
CVE-2017-15125 is a vulnerability of currently unknown severity. A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. EPSS estimates a 0.93% chance of exploitation in the next 30 days.
Description
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Cloudforms Management Engine | < 5.9.0.22 |
References
- http://www.securityfocus.com/bid/102287Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2018:0380Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15125Issue Tracking, Vendor Advisory
- http://www.securityfocus.com/bid/102287Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2018:0380Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15125Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-15125?
How severe is CVE-2017-15125?
How do I fix CVE-2017-15125?
Are you affected by CVE-2017-15125?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST