{
  "threat_severity" : "Low",
  "public_date" : "2023-12-12T00:00:00Z",
  "bugzilla" : {
    "description" : "mod_cluster/mod_proxy_cluster: Stored Cross site Scripting",
    "id" : "2254128",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2254128"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page.", "A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page." ],
  "statement" : "The impact of this vulnerability is considered as Low, as the cluster_manager URL should not be exposed outside and is protected by user/password.",
  "acknowledgement" : "Red Hat would like to thank Mohamed Mounir Boudjema (Intervalle-Technologies) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1316",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-3.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1316",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-3.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2387",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "mod_proxy_cluster-0:1.3.20-1.el9_4"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1317",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-mod_proxy_cluster"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Affected",
    "package_name" : "mod_proxy_cluster",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-6710\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6710" ],
  "name" : "CVE-2023-6710",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}