Actions
Bug #16019
closed
CVE-2016-6319 - Persistent XSS in job invocation form triggered by unescaped user input name
Description
The value is used for label in job invocation form. The vulnerability/fix belongs to Foreman which stopped escaping the label since [1.6.0](https://github.com/theforeman/foreman/commit/2af7c64a3b9c2699a3131483bc2344b50c138542#diff-d07b3cdd6c00768e06bfed349d3c808fR157).
Updated by Marek Hulán about 8 years ago
- Related to Bug #16024: Foreman form helpers do not escape JS when rendering label added
Updated by Marek Hulán about 8 years ago
- Subject changed from Persistent XSS in job invocation form triggered by unescaped user input name to CVE-2016-6319 - Persistent XSS in job invocation form triggered by unescaped user input name
- Status changed from New to Ready For Testing
The core PR can be found at https://github.com/theforeman/foreman/pull/3715
Updated by Marek Hulán about 8 years ago
- Status changed from Ready For Testing to Resolved
Foreman fix was merged to develop branch, the tracking issue is currently set to 1.12.2 so the fix should be in next stable release.
Actions