{"id":"CVE-2018-16887","details":"A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.","aliases":["GHSA-mhhc-r88h-2qrm"],"modified":"2026-04-11T12:07:40.890313Z","published":"2019-01-13T02:29:00.217Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1222"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/katello/katello","events":[{"introduced":"0"},{"fixed":"18ae245ab701427a13adced9cf851b63f1faa67d"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"3.9.0"}],"cpe":"cpe:2.3:a:theforeman:katello:*:*:*:*:*:*:*:*"}}],"versions":["2.4.0-RC1","3.9.0.rc1","3.9.0.rc2","katello-1.4.2-1","katello-1.4.3-1","katello-1.4.4-1","katello-1.4.5-1","katello-1.4.6-1","katello-1.4.7-1","katello-1.4.8-1","katello-1.4.9-1","katello-1.5.0-12","katello-1.5.0-13","katello-1.5.0-14","katello-1.5.1-1","katello-2.0.0-0","katello-2.1.0-1","katello-2.2.0-1","katello-2.3.0-1","rubygem-katello-1.5.0-10","rubygem-katello-1.5.0-11","rubygem-katello-1.5.0-12","rubygem-katello-1.5.0-9","rubygem-katello-2.0.0-1","rubygem-katello-2.1.0-1","rubygem-katello-2.2.0-1","rubygem-katello-2.2.0-2","rubygem-katello-2.3.0-1","rubygem-katello-2.3.0-2","rubygem-katello-2.4.0-1","rubygem-katello-2.4.0-2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-16887.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}