Bug #11859: CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change - Foreman

Actions

Copy link

Bug #11859

closed

CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change

Added by Dominic Cleal almost 10 years ago. Updated almost 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Shlomi Zadok

Category:

Security

Target version:

1.10.0

Difficulty:

Triaged:

Bugzilla link:

1268995

Pull request:

https://github.com/theforeman/foreman/pull/2736

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.

An example on the global parameters form is:

">&lt;script&gt;alert("hi")&lt;/script&gt;&lt;b c=&quot;

Store this in a parameter value, reload the page and click the "Hidden value" checkbox and the JavaScript will execute. The reverse is probably possible too.

Actions

Copy link

Updated by The Foreman Bot almost 10 years ago

Status changed from New to Ready For Testing
Pull request https://github.com/theforeman/foreman/pull/2736 added
Pull request deleted ()

Actions

Copy link

Updated by Dominic Cleal almost 10 years ago

Subject changed from Parameter hide/show checkbox allows XSS during textbox change to CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
Description updated (diff)

Actions

Copy link