CVE-2017-15125: XSS
First published: Fri Nov 24 2017(Updated: )
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Cloudforms Management Engine | <5.9.0.22 | |
| redhat/cfme | <5.9.0.22 | 5.9.0.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2017-15125?
CVE-2017-15125 is a vulnerability found in CloudForms before 5.9.0.22 that allows for stored XSS attacks on application administrators.
How does CVE-2017-15125 affect CloudForms?
CVE-2017-15125 affects CloudForms before 5.9.0.22 in the self-service UI snapshot feature.
What is the severity of CVE-2017-15125?
The severity of CVE-2017-15125 is medium, with a CVSS score of 5.4.
How can an attacker exploit CVE-2017-15125?
An attacker can exploit CVE-2017-15125 by injecting malicious HTML and JavaScript code into the name field of CloudForms self-service UI snapshot feature.
What is the recommended fix for CVE-2017-15125?
To fix CVE-2017-15125, users should update CloudForms to version 5.9.0.22 or later.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-15125
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/author
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/redhat
- canonical/redhat cloudforms management engine
- package-manager/redhat