CVE-2015-0284
MEDIUMRed Hat Satellite 5.7 - Authenticated Cross-Site Scripting via XMLRPC API User Details
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in spacewalk-java in Spacewalk and Red Hat Satellite 5.7 allows remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the XMLRPC API, involving user details. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-7811.
References (7)
Core 7
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0590.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1181472
Patch x_refsource_confirm
https://github.com/spacewalkproject/spacewalk/commit/dd418384171473c3e31386a1b4792f8c555dc744
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1181152
Patch x_refsource_confirm
https://github.com/spacewalkproject/spacewalk/commit/f3792c79c1c251a49cc4e382be8591636326a794
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1315398
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1314906
Scores
CVSS v3
5.4
EPSS
0.0124
EPSS Percentile
65.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
redhat/satellite
5.7
redhat/spacewalk-java
Published
Apr 14, 2016
Tracked Since
Feb 18, 2026