Skip to main content

Ansible Automation Platform CVE-2024-10033

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-10-16 secalert@redhat.com
6.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (redhat) · only source for this CVE.

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 16, 2024 - 17:15 cve.org
MEDIUM 6.1

DescriptionCVE.org

A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.

AnalysisAI

A vulnerability was found in aap-gateway. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data. Affected products include: Redhat Ansible Automation Platform, Redhat Ansible Developer, Redhat Ansible Inside.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-5189 MEDIUM POC
6.5 Nov 14

A path traversal vulnerability exists in Ansible when extracting tarballs. Rated medium severity (CVSS 6.5), this vulner

CVE-2022-2568 MEDIUM POC
6.5 Aug 18

A privilege escalation flaw was found in the Ansible Automation Platform. Rated medium severity (CVSS 6.5), this vulnera

CVE-2022-3644 MEDIUM POC
5.5 Oct 25

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes th

CVE-2023-5764 HIGH
7.8 Dec 12

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the u

CVE-2023-4237 HIGH
7.8 Oct 04

A flaw was found in the Ansible Automation Platform. Rated high severity (CVSS 7.8), this vulnerability is low attack co

CVE-2023-50782 HIGH
7.5 Feb 05

A flaw was found in the python-cryptography package. Rated high severity (CVSS 7.5), this vulnerability is remotely expl

CVE-2021-20228 HIGH
7.5 Apr 29

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the

CVE-2021-3583 HIGH
7.1 Sep 22

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. Rated high severity (CVSS 7.

CVE-2022-1632 MEDIUM
6.5 Sep 01

An Improper Certificate Validation attack was found in Openshift. Rated medium severity (CVSS 6.5), this vulnerability i

CVE-2023-5115 MEDIUM
6.3 Dec 18

An absolute path traversal attack exists in the Ansible automation platform. Rated medium severity (CVSS 6.3), this vuln

CVE-2023-4380 MEDIUM
6.3 Oct 04

A logic flaw exists in Ansible Automation platform. Rated medium severity (CVSS 6.3), this vulnerability is remotely exp

CVE-2022-3205 MEDIUM
6.1 Sep 13

Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project na

Share

CVE-2024-10033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy