{"id":"CVE-2018-1000225","details":"Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via \"network connectivity\". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).","aliases":["GHSA-q9g5-98pm-w6q7"],"modified":"2026-03-14T02:47:18.096424Z","published":"2018-08-20T20:29:01.720Z","related":["SUSE-RU-2018:2639-1","SUSE-SU-2018:2551-1","SUSE-SU-2018:2561-1","SUSE-SU-2018:2608-1","openSUSE-SU-2021:0046-1","openSUSE-SU-2021:0058-1","openSUSE-SU-2024:10690-1"],"references":[{"type":"ADVISORY","url":"https://github.com/cobbler/cobbler/issues/1917"},{"type":"ADVISORY","url":"https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000225.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}