- Description
- The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible.
- Source
- secalert@redhat.com
- NVD status
- Modified
CVSS 2.0
- Type
- Primary
- Base score
- 4.3
- Impact score
- 2.9
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:P/I:N/A:N
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:linux:*:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "B133DAC8-2B0D-4F83-9025-AD071740187A"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:conga:conga:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2D03758E-CEC5-4E1A-A21C-A86CBFB77FB2"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]