Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-1368

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2015-1368
Last Modified 28 Jan 2015 02:01:02
Published 27 Jan 2015 03:04:25
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2015-1368

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) order_by parameter to credentials/, (2) inventories/, (3) projects/, or (4) users/3/permissions/ in api/v1/ or the (5) next_run parameter to api/v1/schedules/.

Vulnerable Systems

Application

  • Ansible Tower 2.0.2


References

MISC - https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150113-1_Ansible-Tower_multiple-vulnerabilities_v10.txt

XF - ansibletower-orderbynextrun-xss(99924)

BID - 72023

BUGTRAQ - 20150113 SEC Consult SA-20150113-1 :: Privilege Escalation & XSS & Missing Authentication in Ansible Tower

EXPLOIT-DB - 35786

MISC - http://packetstormsecurity.com/files/129944/Ansible-Tower-2.0.2-XSS-Privilege-Escalation-Authentication-Missing.html

OSVDB - 116965

OSVDB - 116964

OSVDB - 116963

OSVDB - 116962

OSVDB - 116961


Last Updated: 27 May 2016 11:07:38