{"id":"CVE-2024-10086","details":"A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.","aliases":["BIT-consul-2024-10086","GHSA-99wr-c2px-grmh","GO-2024-3242"],"modified":"2026-03-09T23:55:35.897629Z","published":"2024-10-30T22:15:03.283Z","related":["CGA-x477-pxvm-w783","SUSE-SU-2024:3950-1","openSUSE-SU-2024:0350-1","openSUSE-SU-2024:14458-1"],"references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2024-24-consul-vulnerable-to-reflected-xss-on-content-type-error-manipulation"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250110-0006/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/consul","events":[{"introduced":"65d2c9b51d02e6b14db3da3cb8424ef72e046780"},{"fixed":"d64fc79023011fdd0f600cc6460622eedde25f54"},{"introduced":"65d2c9b51d02e6b14db3da3cb8424ef72e046780"},{"fixed":"cddc6181264ad5909e2795ec5cd68a89fa3b2c99"},{"introduced":"349cec176db1a6067952c1708d384e56de4eb9e1"},{"fixed":"e694ba9b3f1c9f440350869e739d534532946920"},{"introduced":"bf0166d85082f384a94c5c0e6227619e63f3c644"},{"fixed":"165f38b86348f88d891f68ea9a93aa447c022a29"}],"database_specific":{"versions":[{"introduced":"1.4.1"},{"fixed":"1.15.15"},{"introduced":"1.4.1"},{"fixed":"1.20.0"},{"introduced":"1.18.0"},{"fixed":"1.18.5"},{"introduced":"1.19.0"},{"fixed":"1.19.3"}]}}],"versions":["api/v1.0.0","api/v1.0.1","api/v1.1.0","api/v1.10.0","api/v1.2.0","api/v1.20.0","api/v1.21.0","api/v1.28.3","api/v1.29.5-rc1","api/v1.4.0","ent-changelog-1.15.11","ent-changelog-1.15.12","ent-changelog-1.15.13","ent-changelog-1.18.3","envoyextensions/v0.1.2","envoyextensions/v0.2.0","envoyextensions/v0.7.4-rc1","internal/v0.1.0","list","proto-public/v0.1.0","proto-public/v0.1.1","proto-public/v0.5.4-rc1","proto-public/v0.6.1","proto-public/v0.6.2","proto-public/v0.6.3","sdk/v0.1.0","sdk/v0.1.1","sdk/v0.13.1","sdk/v0.16.1","sdk/v0.2.0","sdk/v0.4.0","troubleshoot/v0.1.2","troubleshoot/v0.7.2-rc1","v1.11.0-alpha","v1.15.11","v1.20.0-rc1","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.6.0","v1.6.0-beta1","v1.6.0-beta2","v1.6.0-beta3","v1.6.0-rc1","v1.6.1","v1.7.0","v1.7.0-beta1","v1.7.0-beta2","v1.7.0-beta3","v1.9.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-10086.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}