Description
Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.
Published: 2026-06-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw that allows unsanitized user‑controlled data to be reflected in browser pages, enabling attackers to inject malicious scripts. Based on the description, it is inferred that this flaw involves the Mission Portal component of CFEngine Enterprise. This XSS can lead to session hijacking, credential theft, or defacement when a victim views a crafted page.

Affected Systems

Affected versions are CFEngine Enterprise 3.24.3 and earlier until 3.24.4, and 3.27.0 and earlier until 3.27.1. The flaw exists in the Mission Portal functionality of those releases.

Risk and Exploitability

The CVSS score is 6.1 and the EPSS score indicates a probability of exploitation in the <1% range. The vulnerability is not listed in CISA KEV. The risk can be considered medium because XSS can compromise any authenticated user who accesses the portal. Exploitation requires user interaction with a malicious link or URL within the vulnerable portal.

Generated by OpenCVE AI on June 3, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CFEngine Enterprise to version 3.24.4 or 3.27.1 or newer
  • Implement a content security policy to restrict script execution
  • Limit Mission Portal access to trusted users or disable the feature if not required

Generated by OpenCVE AI on June 3, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in CFEngine Enterprise Mission Portal

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Northern.tech
Northern.tech cfengine
Vendors & Products Northern.tech
Northern.tech cfengine

Wed, 03 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in CFEngine Enterprise Mission Portal
Weaknesses CWE-79

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.
References

Subscriptions

Northern.tech Cfengine
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T16:16:11.607Z

Reserved: 2026-03-22T00:00:00.000Z

Link: CVE-2026-33553

cve-icon Vulnrichment

Updated: 2026-06-03T16:14:06.730Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T20:16:34.497

Modified: 2026-06-04T16:25:24.723

Link: CVE-2026-33553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T19:30:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')