Vulnerability Name:

CVE-2018-10934 (CCN-163330)

Assigned:2018-08-14
Published:2018-08-14
Updated:2019-06-11
Summary:A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users.
CVSS v3 Severity:5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2018-10934

Source: CCN
Type: RHSA-2019:0362
Security Advisory

Source: REDHAT
Type: UNKNOWN
RHSA-2019:1159

Source: REDHAT
Type: UNKNOWN
RHSA-2019:1160

Source: REDHAT
Type: UNKNOWN
RHSA-2019:1161

Source: REDHAT
Type: UNKNOWN
RHSA-2019:1162

Source: CCN
Type: Red Hat Bugzilla - Bug 1615673
(CVE-2018-10934) - CVE-2018-10934 wildfly-core: Cross-site scripting (XSS) in JBoss Management Console

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10934

Source: XF
Type: UNKNOWN
redhat-jboss-cve201810934-xss(163330)

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20190611-0002/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:single_sign-on:7.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    redhat jboss enterprise application platform 7.0
    redhat enterprise linux server 6.0
    redhat enterprise linux server 7.0
    redhat jboss enterprise application platform 7.1.0
    redhat single sign-on 7.2
    redhat jboss enterprise application platform *