Actions
Bug #6580
closedCVE-2014-3531 - XSS in operating system name / description
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
Reported by Jan HutaĆ via RHBZ:
There is a possible XSS with operating system name/description.
Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140605.0
How reproducible:
always
Steps to Reproduce:
1. Go to Hosts -> Operating systems -> Create new operating system
2. Fill "Name: T<b>OD</b>O" in
- OR -
Fill some "Name" and "Description: T<b>OD</b>O" in
3. Submit
Actual results:
In a list of operating systems unescaped string is displayed
Expected results:
HTML should be escaped
Actions