Description
A flaw was found in migration-planner. Insufficient validation of the `AgentStatusUpdate.CredentialUrl` field allows an authenticated attacker to store a malicious `javascript:` URL. When a victim views this URL in the Hybrid Cloud Console, it can lead to Cross-Site Scripting (XSS), enabling script execution in the victim's session and potentially disclosing sensitive information.
Published: n/a
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in migration‑planner allows an authenticated attacker to store a malicious javascript: URL in the AgentStatusUpdate.CredentialUrl field. When a victim later views this field in the Hybrid Cloud Console, the browser will execute the JavaScript in the victim’s session, enabling the attacker to run arbitrary code, steal cookies, or modify page content. The weakness is a classic web‑application injection flaw as identified by CWE‑79.

Affected Systems

The vulnerability affects the migration‑planner application. No specific vendor or product version information was supplied in the advisory; administrators should check the product installation for any exposed AgentStatusUpdate features.

Risk and Exploitability

The CVSS score is 6.3, indicating a moderate severity with unauthenticated impact limited to the victim’s session. EPSS is not available, so the likelihood of exploitation cannot be quantified, but the flaw is exploitable by any authenticated user with write access to AgentStatusUpdate. The vulnerability is not listed in the CISA KEV catalog, but it remains a potential risk for environments where the Console is accessed by multiple users.

Generated by OpenCVE AI on June 11, 2026 at 02:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade migration‑planner to a version that validates the CredentialUrl field and rejects javascript: schemes.
  • If an immediate update is not possible, enforce a server‑side or console‑side URL whitelist to block javascript: URLs, and optionally disable the AgentStatusUpdate feature for untrusted users.
  • Configure a Content‑Security‑Policy header in the Hybrid Cloud Console that disallows inline script execution and restricts script sources to trusted domains, which mitigates the impact of any stored XSS payload.

Generated by OpenCVE AI on June 11, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in migration-planner. Insufficient validation of the `AgentStatusUpdate.CredentialUrl` field allows an authenticated attacker to store a malicious `javascript:` URL. When a victim views this URL in the Hybrid Cloud Console, it can lead to Cross-Site Scripting (XSS), enabling script execution in the victim's session and potentially disclosing sensitive information.
Title migration-planner: credentialUrl Validator Accepts javascript: URLs
Weaknesses CWE-79
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

threat_severity

Important

Subscriptions

No data.

cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-07T00:00:00Z

Links: CVE-2026-53472 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:15:27Z

Weaknesses