Northern.tech CFEngine Enterprise Mission Portal Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Northern.tech CFEngine Enterprise Mission Portal versions 3.24.0, 3.21.5, and earlier. The issue arises from missing input validation, allowing authenticated users with administrator privileges to inject JavaScript into text fields. This injected script could be executed by other users who access the same form. While the vulnerability is limited to the settings area and requires specific actions to exploit, it could facilitate XSS between two administrator accounts.
Impact
Exploitation of this vulnerability allows for cross-site scripting between two administrator accounts, requiring the victim to perform a specific action.
Remediation
Users can upgrade to CFEngine Enterprise versions 3.21.6, 3.24.1, or later. It is also recommended to follow a principle of least privilege approach, limiting administrator access to essential users.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.