Description
A flaw was found in migration-planner. Insufficient validation of the `AgentStatusUpdate.CredentialUrl` field allows an authenticated attacker to store a malicious `javascript:` URL. When a victim views this URL in the Hybrid Cloud Console, it can lead to Cross-Site Scripting (XSS), enabling script execution in the victim's session and potentially disclosing sensitive information.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
No data.
No data.
| Vendor | Product | Confidence | Versions | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Kubev2v | Migration-planner | 100% |
|
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Thu, 11 Jun 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Kubev2v
Kubev2v migration-planner |
|
| Vendors & Products |
Kubev2v
Kubev2v migration-planner |
Thu, 11 Jun 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in migration-planner. Insufficient validation of the `AgentStatusUpdate.CredentialUrl` field allows an authenticated attacker to store a malicious `javascript:` URL. When a victim views this URL in the Hybrid Cloud Console, it can lead to Cross-Site Scripting (XSS), enabling script execution in the victim's session and potentially disclosing sensitive information. | |
| Title | migration-planner: credentialUrl Validator Accepts javascript: URLs | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
MITRE
No data.
Vulnrichment
No data.
NVD
No data.
Redhat
OpenCVE Enrichment
Updated: 2026-06-11T10:42:20Z
Weaknesses