Actions
Bug #11859
closed
CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.
An example on the global parameters form is:
"><script>alert("hi")</script><b c="Store this in a parameter value, reload the page and click the "Hidden value" checkbox and the JavaScript will execute. The reverse is probably possible too.
Updated by The Foreman Bot about 9 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2736 added
- Pull request deleted (
)
Updated by Dominic Cleal about 9 years ago
- Subject changed from Parameter hide/show checkbox allows XSS during textbox change to CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
- Description updated (diff)
Updated by Shlomi Zadok about 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 4f3555b217be8723e8045f9816d147b5f684ec57.
Updated by
Actions