Upstream information

CVE-2016-3079 at MITRE

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems/SystemEntitlements.do; (2) the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a (3) snapshot tag or (4) system group in System Set Manager (SSM).

SUSE information

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 4.30 5.76
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network Network
Access Complexity Medium Medium
Authentication None None
Confidentiality Impact None Partial
Integrity Impact Partial Partial
Availability Impact None None
CVSS v3 Scores
  National Vulnerability Database
Base Score 6.1
Vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Access Vector Network
Access Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Impact Low
Integrity Impact Low
Availability Impact None
SUSE Bugzilla entry: 973162 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Manager 2.1
  • cobbler >= 2.2.2-0.61.2
  • osa-dispatcher >= 5.11.33.11-15.2
  • osad >= 5.11.33.11-15.2
  • rhnlib >= 2.5.69.8-11.2
  • spacewalk-backend >= 2.1.55.25-24.5
  • spacewalk-backend-app >= 2.1.55.25-24.5
  • spacewalk-backend-applet >= 2.1.55.25-24.5
  • spacewalk-backend-config-files >= 2.1.55.25-24.5
  • spacewalk-backend-config-files-common >= 2.1.55.25-24.5
  • spacewalk-backend-config-files-tool >= 2.1.55.25-24.5
  • spacewalk-backend-iss >= 2.1.55.25-24.5
  • spacewalk-backend-iss-export >= 2.1.55.25-24.5
  • spacewalk-backend-libs >= 2.1.55.25-24.5
  • spacewalk-backend-package-push-server >= 2.1.55.25-24.5
  • spacewalk-backend-server >= 2.1.55.25-24.5
  • spacewalk-backend-sql >= 2.1.55.25-24.5
  • spacewalk-backend-sql-oracle >= 2.1.55.25-24.5
  • spacewalk-backend-sql-postgresql >= 2.1.55.25-24.5
  • spacewalk-backend-tools >= 2.1.55.25-24.5
  • spacewalk-backend-xml-export-libs >= 2.1.55.25-24.5
  • spacewalk-backend-xmlrpc >= 2.1.55.25-24.5
  • spacewalk-branding >= 2.1.33.16-18.2
  • spacewalk-certs-tools >= 2.1.6.10-18.3
  • spacewalk-java >= 2.1.165.23-20.1
  • spacewalk-java-config >= 2.1.165.23-20.1
  • spacewalk-java-lib >= 2.1.165.23-20.1
  • spacewalk-java-oracle >= 2.1.165.23-20.1
  • spacewalk-java-postgresql >= 2.1.165.23-20.1
  • spacewalk-taskomatic >= 2.1.165.23-20.1
  • spacewalk-utils >= 2.1.27.15-12.7
  • suseRegisterInfo >= 2.1.12-14.2
  • susemanager >= 2.1.24-23.1
  • susemanager-sync-data >= 2.1.15-30.2
  • susemanager-tftpsync >= 2.1.2-11.2
  • susemanager-tools >= 2.1.24-23.1
Patchnames:
sleman21-suse-manager-21-201605-12567