CVE-2019-10177
MEDIUMCloudForms Management Engine 5.9-5.10 - Stored Cross-Site Scripting in PDF Export Component
Title source: llmDescription
A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10177
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/109065
Scores
CVSS v3
6.5
EPSS
0.0034
EPSS Percentile
56.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Details
CWE
CWE-79
Status
published
Products (2)
redhat/cloudforms_management_engine
5.9
redhat/cloudforms_management_engine
5.10
Published
Jun 27, 2019
Tracked Since
Feb 18, 2026