Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).
References
Link | Resource |
---|---|
https://github.com/cobbler/cobbler/issues/1917 | Third Party Advisory |
https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/ | Third Party Advisory |
Configurations
History
No history.
Information
Published : 2018-08-20 20:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-1000225
Mitre link : CVE-2018-1000225
CVE.ORG link : CVE-2018-1000225
JSON object : View
Products Affected
cobblerd
- cobbler
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')