CVE-2021-3529
HIGHnoobaa-operator < 5.7.0 - Stored Cross-Site Scripting via URL Name Injection
Title source: llmDescription
A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity.
References (1)
Core 1
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1950479
Scores
CVSS v3
7.1
EPSS
0.0022
EPSS Percentile
45.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Details
CWE
CWE-79
Status
published
Products (2)
redhat/noobaa-operator
< 5.7.0
redhat/openshift_container_platform
4.0
Published
Jun 02, 2021
Tracked Since
Feb 18, 2026