CVE-2023-3971

HIGH

Redhat Ansible Automation Controller < 4.3.11 - Basic XSS

Title source: rule

Description

An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.

Exploits (1)

nomisec WORKING POC

by ashangp923 · poc

https://github.com/ashangp923/CVE-2023-3971

View Code ZIP pw:eip

References (4)

Core 4

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:4340

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:4590

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2023-3971

Issue Tracking, Vendor Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2226965

Scores

CVSS v3 7.3

EPSS 0.0040

EPSS Percentile 60.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-80 CWE-79

Status published

Products (6)

redhat/ansible_automation_controller 4.4

redhat/ansible_automation_controller < 4.3.11

redhat/ansible_automation_platform 2.3

redhat/ansible_automation_platform 2.4

redhat/ansible_developer 1.0

redhat/ansible_inside 1.1

Published Oct 04, 2023

Tracked Since Feb 18, 2026