Vulnerability Details : CVE-2015-5282
Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2015-5282
- cpe:2.3:a:theforeman:foreman:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.13.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.13.4:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.12.4:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.10.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5282
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5282
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2015-5282
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5282
-
http://www.openwall.com/lists/oss-security/2015/09/21/3
oss-security - CVE-2015-5282: Foreman stored XSS in parameter hide checkboxMailing List;Patch;Third Party Advisory
-
https://github.com/theforeman/foreman/commit/4f3555b217be8723e8045f9816d147b5f684ec57
Fixes #11859 - handle HTML in parameters safely when hiding values (C… · theforeman/foreman@4f3555b · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://theforeman.org/security.html#2015-5282
Foreman :: SecurityPatch;Vendor Advisory
-
http://projects.theforeman.org/issues/11859
Bug #11859: CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change - ForemanIssue Tracking;Patch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1264221
1264221 – (CVE-2015-5282) CVE-2015-5282 foreman: XSS in hidden parameter value switcherIssue Tracking;Patch;Third Party Advisory
Jump to