Main Vulnerability Database Vulnerabilities #VU30740

Cross-site scripting in tectonic - CVE-2018-9090

Published: September 24, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30740

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-9090

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: redhat

Affected software:
tectonic

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.

How to mitigate CVE-2018-9090

Install update from vendor's website.

Cross-site scripting in tectonic - CVE-2018-9090

Detailed vulnerability description

How to mitigate CVE-2018-9090

Sources

Please verify you're human