Description
A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions.
Published: 2026-06-10
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Migration‑Planner UI App allows an attacker to register a discovery agent that uses a credentialUrl containing malicious JavaScript. When an organizational user clicks that link in the interface, the script runs in the user's browser context. Because the script executes with the privileges of the logged‑in user, it can hijack the Red Hat Single Sign‑On (SSO) session, leading to unauthorized access across tenants and the ability to perform privileged API actions. This is a stored Cross‑Site Scripting (CWE‑79) flaw.

Affected Systems

This flaw affects the Migration‑Planner UI App component. Specific version ranges are not listed in the advisory; users should verify if their deployment includes the issue and update to a fixed release once available.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, and while the EPSS score is not available, the flaw requires user interaction—the victim must click the link—to trigger the exploit. The attack can be performed by any attacker who can register a malicious discovery agent, meaning internal users or compromised accounts could pose a threat. Because the code runs in the victim’s browser session, it can steal SSO tokens and perform cross‑tenant data or API actions. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 10, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • When a vendor‑supplied patch for Migration‑Planner UI App becomes available, apply it.
  • If a patch is not yet available, enforce a strict Content Security Policy that disallows inline JavaScript and the javascript: scheme for links rendered by the application.
  • Restrict or audit the creation of discovery agents so that only trusted, sanitized URLs are accepted, and consider disabling the ability to register agents that use external URLs outside the trusted domain.

Generated by OpenCVE AI on June 10, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Kubev2v migration Planner Ui
CPEs cpe:2.3:a:kubev2v:migration_planner_ui:*:*:*:*:*:*:*:*
Vendors & Products Kubev2v migration Planner Ui

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubev2v
Kubev2v migration-planner-ui-app
Vendors & Products Kubev2v
Kubev2v migration-planner-ui-app

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions.
Title Migration-planner-ui-app: stored xss via javascript: url in agent credential link
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}


Subscriptions

Kubev2v Migration-planner-ui-app Migration Planner Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T15:46:25.699Z

Reserved: 2026-06-09T17:03:29.627Z

Link: CVE-2026-53473

cve-icon Vulnrichment

Updated: 2026-06-10T15:46:21.629Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T15:16:41.820

Modified: 2026-06-16T14:29:10.250

Link: CVE-2026-53473

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-07T00:00:00Z

Links: CVE-2026-53473 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:41:55Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')