{
  "threat_severity" : "Moderate",
  "public_date" : "2018-08-10T00:00:00Z",
  "bugzilla" : {
    "description" : "bootstrap: XSS in the affix configuration target property",
    "id" : "1668089",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1668089"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.", "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials." ],
  "statement" : "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all.\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 6.1",
    "release_date" : "2023-10-12T00:00:00Z",
    "advisory" : "RHSA-2023:5693",
    "cpe" : "cpe:/a:redhat:ceph_storage:6.1::el9",
    "package" : "ceph-2:17.2.6-148.el9cp"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "release_date" : "2020-01-16T00:00:00Z",
    "advisory" : "RHSA-2020:0133",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:3936",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "ipa-0:4.6.8-5.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4670",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "idm:client-8030020200923172426.05ac3f11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4670",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "idm:DL1-8030020200923172343.9c827e52"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)",
    "release_date" : "2020-12-16T00:00:00Z",
    "advisory" : "RHSA-2020:5571",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "python-XStatic-Bootstrap-SCSS-0:3.4.1.0-1.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS",
    "release_date" : "2020-12-16T00:00:00Z",
    "advisory" : "RHSA-2020:5571",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "python-XStatic-Bootstrap-SCSS-0:3.4.1.0-1.el7ost"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "release_date" : "2020-01-16T00:00:00Z",
    "advisory" : "RHSA-2020:0132",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.3.2 zip",
    "release_date" : "2019-06-11T00:00:00Z",
    "advisory" : "RHSA-2019:1456",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3",
    "package" : "bootstrap"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2019-05-08T00:00:00Z",
    "advisory" : "RHBA-2019:1076",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "ovirt-engine-api-explorer-0:0.0.4-1.el7ev"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2019-06-20T00:00:00Z",
    "advisory" : "RHBA-2019:1570",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "ovirt-engine-api-explorer-0:0.0.5-1.el7ev"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2019-10-10T00:00:00Z",
    "advisory" : "RHSA-2019:3023",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "ovirt-engine-ui-extensions-0:1.0.10-1.el7ev"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Not affected",
    "package_name" : "cfme-gemset",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "OpenShift Service Mesh 2.1",
    "fix_state" : "Not affected",
    "package_name" : "servicemesh-prometheus",
    "cpe" : "cpe:/a:redhat:service_mesh:2.1"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:4"
  }, {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Affected",
    "package_name" : "bootstrap",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Discovery 1",
    "fix_state" : "Not affected",
    "package_name" : "discovery-server-container",
    "cpe" : "cpe:/a:redhat:discovery:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "pki-core",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "pki-core:10.6/pki-core",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Out of support scope",
    "package_name" : "bootstrap",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "bootstrap",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Out of support scope",
    "package_name" : "bootstrap",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift3/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "python-XStatic-Bootstrap-SCSS",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Affected",
    "package_name" : "python-XStatic-Bootstrap-SCSS",
    "cpe" : "cpe:/a:redhat:openstack:14"
  }, {
    "product_name" : "Red Hat OpenStack Platform 15 (Stein)",
    "fix_state" : "Will not fix",
    "package_name" : "python-XStatic-Bootstrap-SCSS",
    "cpe" : "cpe:/a:redhat:openstack:15"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Not affected",
    "package_name" : "qpid-dispatch",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "qpid-dispatch",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty)",
    "fix_state" : "Will not fix",
    "package_name" : "python-XStatic-Bootstrap-SCSS",
    "cpe" : "cpe:/a:redhat:openstack:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "python-XStatic-Bootstrap-SCSS",
    "cpe" : "cpe:/a:redhat:openstack:9"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Affected",
    "package_name" : "bootstrap",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Satellite 5",
    "fix_state" : "Not affected",
    "package_name" : "bootstrap",
    "cpe" : "cpe:/a:redhat:network_satellite:5"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "cockpit-ovirt",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ovirt-engine-dashboard",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ovirt-js-dependencies",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-20677\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-20677" ],
  "name" : "CVE-2018-20677",
  "csaw" : false
}