CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
|Assigned To:||Shlomi Zadok|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/2736|
|Velocity based estimate||-|
We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.
An example on the global parameters form is: