CVE-2026-53473: Migration-planner-ui-app: stored xss via javascript: url in agent credential link

Synopsis

Stored cross-site scripting (XSS) in migration-planner-ui-app allows an attacker who can register a discovery agent to plant a malicious JavaScript URL in the credentialUrl field. When a legitimate user clicks that link in the migration planner UI, the injected code runs in their browser session. Successful exploitation gives the attacker control of the victim's Red Hat Single Sign-On (SSO) session, enabling unauthorized reads and writes across tenant boundaries. A patched-image rebuild at version 0.13.5 is available on HarborGuard for affected environments.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the migration-planner-ui-app service over the network to register a malicious agent and the victim must access the UI over the network for the payload to fire.

• AuthenticationRequired

  The attacker needs at least a low-privilege account to register a discovery agent with a crafted credentialUrl; any authenticated user with agent-registration access is sufficient.

• Victim interactionRequired

  A legitimate organizational user must click the malicious credentialUrl link in the migration planner UI for the injected JavaScript to execute.

• Attack complexityDetail

  Attack complexity is low; the exploit is reliable and requires no race conditions or special environmental configuration beyond registering the malicious agent and waiting for a user click.

Blast Radius

• The attacker reads the victim's active Red Hat Single Sign-On session token, enabling impersonation of that user.
• With a captured session, the attacker can issue API calls as the victim, including reads of data belonging to other tenants in a shared deployment.
• The attacker can perform write-level API actions (creating, modifying, or deleting migration plans and associated resources) under the victim's identity.