A vulnerability, which was classified as problematic, was found in JBoss Management Console up to 7.1.6 (Application Server Software). This affects an unknown functionality of the component Management Console. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity.

The weakness was presented 03/27/2019 as confirmed bug report (Bugzilla). It is possible to read the advisory at bugzilla.redhat.com. This vulnerability is uniquely identified as CVE-2018-10934 since 05/09/2018. It is possible to initiate the attack remotely. The successful exploitation needs a authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 237128 (Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.1.6 for RHEL 7 (RHSA-2019:0365)).

Upgrading to version 7.1.6.CR1 or 7.1.6.GA eliminates this vulnerability.

See 122531, 123060, 124209 and 129525 for similar entries.

Productinfo

Type

• Application Server Software

Vendor

• JBoss

Name

• Management Console

Version

• 7.1.0
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4
• 7.1.5
• 7.1.6

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion