Stored and reflected cross-site scripting (XSS) flaws were found in the way spacewalk-java displayed certain information. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data.
Find out more about CVE-2014-3654 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Satellite 5.6 (RHEL v.6) (spacewalk-java) | RHSA-2014:1762 | 2014-10-30 |
| Red Hat Satellite 5.5 (RHEL v.6) (spacewalk-java) | RHSA-2014:1762 | 2014-10-30 |
| Red Hat Satellite 5.5 (RHEL v.5) (spacewalk-java) | RHSA-2014:1762 | 2014-10-30 |
| Red Hat Satellite 5.6 (RHEL v.5) (spacewalk-java) | RHSA-2014:1762 | 2014-10-30 |
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 5 | spacewalk | Will not fix |
Vulmon