{"containers": {"cna": {"affected": [{"product": "CloudForms", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "5.9, 5.10"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-08T12:06:03", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10177"}, {"name": "109065", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109065"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:10.027Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10177"}, {"name": "109065", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109065"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10177", "datePublished": "2019-06-27T20:50:45", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2024-08-04T22:10:10.027Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.9:*:*:*:*:*:*:*", "matchCriteriaId": "AF039B5E-8906-4B26-A6FA-BBF500F6FABE", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.10:*:*:*:*:*:*:*", "matchCriteriaId": "BFB7DD21-9B04-4943-ADD1-F2D1EB517686", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad almacenada de cross-site scripting (XSS) en el componente de exportaci\u00f3n a PDF de CloudForms, versiones 5.9 y 5.10, debido a que la informaci\u00f3n del usuario no est\u00e1 correctamente saneada. Un atacante con menos privilegios para editar el proceso puede ejecutar un ataque XSS contra otros usuarios, lo que podr\u00eda provocar la ejecuci\u00f3n de un c\u00f3digo malicioso y la extracci\u00f3n del token anti-CSRF de usuarios con privilegios m\u00e1s altos."}], "id": "CVE-2019-10177", "lastModified": "2020-09-30T19:51:31.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-27T21:15:10.120", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109065"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10177"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Yadnyawalk Tale (Red Hat).", "bugzilla": {"description": "CloudForms: Store XSS in PDF exports feature allows code execution of Javascript and HTML input", "id": "1724241", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1724241"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.", "It was found that PDF export component in CloudForms was vulnerable to cross-side scripting (XSS) as user input was not properly sanitized. An authenticated attacker with privileges to edit compute could use the XSS vulnerability against users, which could lead to arbitrary code execution, and extraction of the anti-CSRF token of a higher privileged user."], "name": "CVE-2019-10177", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "impact": "moderate", "package_name": "cfme", "product_name": "CloudForms Management Engine 5"}], "public_date": "2019-06-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10177\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10177"], "threat_severity": "Moderate"}