{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-07T00:00:00", "datePublic": "2018-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-13T01:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gerrit.ovirt.org/#/c/87265/2/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/widget/host/HostNetworkInterfaceListViewItem.java"}, {"tags": ["x_refsource_MISC"], "url": "https://gerrit.ovirt.org/c/87265/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/7/2018 6:33:50", "ID": "CVE-2018-1000095", "REQUESTER": "awels@redhat.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gerrit.ovirt.org/#/c/87265/2/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/widget/host/HostNetworkInterfaceListViewItem.java", "refsource": "MISC", "url": "https://gerrit.ovirt.org/#/c/87265/2/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/widget/host/HostNetworkInterfaceListViewItem.java"}, {"name": "https://gerrit.ovirt.org/c/87265/", "refsource": "MISC", "url": "https://gerrit.ovirt.org/c/87265/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.200Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gerrit.ovirt.org/#/c/87265/2/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/widget/host/HostNetworkInterfaceListViewItem.java"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gerrit.ovirt.org/c/87265/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000095", "datePublished": "2018-03-13T01:00:00", "dateReserved": "2018-03-12T00:00:00", "dateUpdated": "2024-08-05T12:33:49.200Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ovirt-engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "26770DC3-20E8-428A-9A5B-F0A495919769", "versionEndIncluding": "4.2.2", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3."}, {"lang": "es", "value": "oVirt, de la versi\u00f3n 4.2.0 a la 4.2.2, contiene una vulnerabilidad de Cross-Site Scripting (XSS) en el nombre/descripci\u00f3n de la porci\u00f3n de la m\u00e1quina virtual de la aplicaci\u00f3n web de administrador. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 4.2.3."}], "id": "CVE-2018-1000095", "lastModified": "2019-11-06T20:49:55.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-13T01:29:00.843", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gerrit.ovirt.org/#/c/87265/2/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/widget/host/HostNetworkInterfaceListViewItem.java"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://gerrit.ovirt.org/c/87265/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Han Han (Red Hat).", "bugzilla": {"description": "ovirt-engine: stored XSS in snapshot description and comment", "id": "1542165", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1542165"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-79", "details": ["oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.", "A stored XSS vulnerability was discovered in ovirt-engine 4.2. Sanitation of HTML elements was not applied correctly to all fields, shows in the management console. An attacker with VM Admin permissions could use this vulnerability to launch XSS attacks against other VM or Cluster administrators."], "name": "CVE-2018-1000095", "package_state": [{"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "ovirt-engine", "product_name": "Red Hat Virtualization 4"}], "public_date": "2018-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000095\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000095\nhttps://gerrit.ovirt.org/#/c/87265"], "threat_severity": "Moderate"}