CVE-2016-3079

MEDIUM

Redhat Satellite - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems/SystemEntitlements.do; (2) the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a (3) snapshot tag or (4) system group in System Set Manager (SSM).

References (8)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0590.html

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1320444

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1320452

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1320940

[Patch] https://github.com/spacewalkproject/spacewalk/commit/7920542f

[Patch] https://github.com/spacewalkproject/spacewalk/commit/7b9ff9ad

[Patch] https://github.com/spacewalkproject/spacewalk/commit/982b11c9

[Patch] https://github.com/spacewalkproject/spacewalk/commit/b6491eba

Scores

CVSS v3 6.1

EPSS 0.0043

EPSS Percentile 62.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status draft

Affected Products (2)

redhat/satellite

redhat/spacewalk-java

Timeline

Published Apr 14, 2016

Tracked Since Feb 18, 2026