Bug #16022

CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

Added by Dominic Cleal 10 months ago. Updated 3 months ago.

Status:Closed
Priority:Normal
Assigned To:Tomer Brisker
Category:Security
Target version:Team Daniel - iteration 1
Difficulty: Bugzilla link:1421803
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3714
Story points-
Velocity based estimate-
Release1.12.2Release relationshipAuto

Description

Network interface identifiers stored for hosts may contain HTML or JavaScript that allows a stored XSS (cross-site scripting) vulnerability when later viewing the host edit form.

This issue was reported by Sanket Jagtap.

CVE identifier will be assigned.

Associated revisions

Revision 53081ea1
Added by Tomer Brisker 10 months ago

Fixes #16022 - Prevent stored XSS in host interface form

The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.

History

#1 Updated by The Foreman Bot 10 months ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/3714 added

#2 Updated by Tomer Brisker 10 months ago

  • Target version set to Team Daniel - iteration 1

#3 Updated by Anonymous 10 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Dominic Cleal 10 months ago

  • Subject changed from Network interface device identifiers may contain stored XSS on host form to CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

#5 Updated by Daniel Lobato Garcia 9 months ago

  • Target version changed from Team Daniel - iteration 1 to Team Daniel - iteration 2

#6 Updated by Daniel Lobato Garcia 9 months ago

  • Target version changed from Team Daniel - iteration 2 to Team Daniel - iteration 1

#7 Updated by Ohad Levy 3 months ago

  • Bugzilla link set to 1421803

Also available in: Atom PDF