Bug #6580: CVE-2014-3531 - XSS in operating system name / description - Foreman

Actions

Copy link

Bug #6580

closed

CVE-2014-3531 - XSS in operating system name / description

Added by Dominic Cleal almost 10 years ago. Updated almost 6 years ago.

Status:

Closed

Priority:

High

Assignee:

Daniel Lobato Garcia

Category:

Security

Target version:

1.5.2

Difficulty:

Triaged:

Bugzilla link:

1106417

Pull request:

https://github.com/theforeman/foreman/pull/1580

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

Reported by Jan Hutař via RHBZ:

There is a possible XSS with operating system name/description.

Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140605.0

How reproducible:
always

Steps to Reproduce:
1. Go to Hosts -> Operating systems -> Create new operating system
2. Fill "Name: T<b>OD</b>O" in
- OR -
Fill some "Name" and "Description: T<b>OD</b>O" in
3. Submit

Actual results:
In a list of operating systems unescaped string is displayed

Expected results:
HTML should be escaped

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Custom queries

Bug #6580

CVE-2014-3531 - XSS in operating system name / description

Updated by Dominic Cleal almost 10 years ago

Updated by Daniel Lobato Garcia almost 10 years ago

Updated by Daniel Lobato Garcia almost 10 years ago

Updated by The Foreman Bot almost 10 years ago

Updated by Dominic Cleal almost 10 years ago

Updated by Dominic Cleal almost 10 years ago