CVE-2024-36110

high

Description

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions < 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on pypi). Users are advised to upgrade. There are no known workarounds for these issues.

References

https://github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj

https://github.com/ansibleguy/webui/issues/44

https://github.com/ansibleguy/webui/files/15358522/Report.pdf

https://github.com/ansibleguy/webui/commit/7737b47e7f7ddbfec7b1418c724598363718d522

Details

Source: Mitre, NVD

Published: 2024-05-28

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:P

Severity: High

CVSS v3

Base Score: 8.2

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Severity: High

EPSS

EPSS: 0.00349