What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2018-15913.

What is the severity of CVE-2018-15913?

The severity of CVE-2018-15913 is medium with a CVSS score of 6.1.

What is the affected software for CVE-2018-15913?

The affected software for CVE-2018-15913 is Cloudera Manager 5.x through 5.15.0.

How does CVE-2018-15913 exploit work?

CVE-2018-15913 exploits a vulnerability in Cloudera Manager where it does not check the validity of the 'returnUrl' parameter, allowing an attacker to redirect a user to a malicious page.

Is there a fix available for CVE-2018-15913?

Yes, Cloudera has released a security bulletin with detailed steps to fix CVE-2018-15913. Please refer to their documentation for more information.

Vulnerability/
CVE-2018-15913

medium

6.1

CWE

20/6/2019

5/8/2024

CVE-2018-15913: XSS

First published: Thu Jun 20 2019(Updated: )

An issue was discovered in Cloudera Manager 5.x through 5.15.0. One type of page in Cloudera Manager uses a 'returnUrl' parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automatically redirected to an attacker's external site or perform a malicious JavaScript function that results in cross-site scripting (XSS). This was fixed by not allowing any value in the returnUrl parameter with patterns such as http://, https://, //, or javascript. The only exceptions to this rule are the SAML Login/Logout URLs, which remain supported since they are explicitly configured and they are not passed via the returnUrl parameter.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Cloudera Cloudera Manager	>=5.0.0<=5.15.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2018-15913.
What is the severity of CVE-2018-15913?
The severity of CVE-2018-15913 is medium with a CVSS score of 6.1.
What is the affected software for CVE-2018-15913?
The affected software for CVE-2018-15913 is Cloudera Manager 5.x through 5.15.0.
How does CVE-2018-15913 exploit work?
CVE-2018-15913 exploits a vulnerability in Cloudera Manager where it does not check the validity of the 'returnUrl' parameter, allowing an attacker to redirect a user to a malicious page.
Is there a fix available for CVE-2018-15913?
Yes, Cloudera has released a security bulletin with detailed steps to fix CVE-2018-15913. Please refer to their documentation for more information.

collector/nvd-index
agent/weakness
agent/severity
agent/references
agent/author
agent/type
agent/event
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
agent/description
collector/mitre-cve
source/MITRE
vendor/cloudera
canonical/cloudera cloudera manager
version/cloudera cloudera manager/5.0.0
version/cloudera cloudera manager/5.15.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.