Main Vulnerability Database SB2019092431

SB2019092431 - Cross-site scripting in redhat tectonic

Published: September 24, 2019 Updated: July 17, 2020

Security Bulletin ID SB2019092431

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2018-9090)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.

Remediation

Install update from vendor's website.

SB2019092431 - Cross-site scripting in redhat tectonic

Breakdown by Severity

Description

Remediation

References

Please verify you're human