{
  "threat_severity" : "Moderate",
  "public_date" : "2016-09-15T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-manila-ui: persistent XSS in metadata field",
    "id" : "1375147",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1375147"
  },
  "cvss" : {
    "cvss_base_score" : "3.5",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:S/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.1",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Cross-site scripting (XSS) vulnerability in the \"Shares\" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the \"Create Share\" form.", "A cross-site scripting flaw was discovered in openstack-manila-ui's Metadata field contained in its \"Create Share\" form. A user could inject malicious HTML/JavaScript code that would then be reflected in the \"Shares\" overview. Remote, authenticated, but unprivileged users could exploit this vulnerability to steal session cookies and escalate their privileges." ],
  "acknowledgement" : "Red Hat would like to thank SUSE for reporting this issue. Upstream acknowledges Niklaus Schiess as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
    "release_date" : "2016-10-26T00:00:00Z",
    "advisory" : "RHSA-2016:2115",
    "cpe" : "cpe:/a:redhat:openstack:7::el7",
    "package" : "openstack-manila-ui-0:1.0.1-3.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8.0 (Liberty)",
    "release_date" : "2016-10-26T00:00:00Z",
    "advisory" : "RHSA-2016:2116",
    "cpe" : "cpe:/a:redhat:openstack:8::el7",
    "package" : "openstack-manila-ui-0:1.2.0-2.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9.0 (Mitaka)",
    "release_date" : "2016-10-26T00:00:00Z",
    "advisory" : "RHSA-2016:2117",
    "cpe" : "cpe:/a:redhat:openstack:9::el7",
    "package" : "openstack-manila-ui-0:2.1.0-2.el7ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Not affected",
    "package_name" : "openstack-manila-ui",
    "cpe" : "cpe:/a:redhat:openstack:10"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-6519\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-6519" ],
  "name" : "CVE-2016-6519",
  "csaw" : false
}