Bug #16022

CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

Added by Dominic Cleal 8 months ago. Updated 12 days ago.

Status:Closed
Priority:Normal
Assigned To:Tomer Brisker
Category:Security
Target version:Team Daniel - iteration 1
Difficulty: Bugzilla link:1421803
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3714
Story points-
Velocity based estimate-
Release1.12.2Release relationshipAuto

Description

Network interface identifiers stored for hosts may contain HTML or JavaScript that allows a stored XSS (cross-site scripting) vulnerability when later viewing the host edit form.

This issue was reported by Sanket Jagtap.

CVE identifier will be assigned.

Associated revisions

Revision 53081ea1
Added by Tomer Brisker 8 months ago

Fixes #16022 - Prevent stored XSS in host interface form

The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.

History

#1 Updated by The Foreman Bot 8 months ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/3714 added

#2 Updated by Tomer Brisker 8 months ago

  • Target version set to Team Daniel - iteration 1

#3 Updated by Anonymous 8 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Dominic Cleal 8 months ago

  • Subject changed from Network interface device identifiers may contain stored XSS on host form to CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

#5 Updated by Daniel Lobato Garcia 7 months ago

  • Target version changed from Team Daniel - iteration 1 to Team Daniel - iteration 2

#6 Updated by Daniel Lobato Garcia 7 months ago

  • Target version changed from Team Daniel - iteration 2 to Team Daniel - iteration 1

#7 Updated by Ohad Levy 12 days ago

  • Bugzilla link set to 1421803

Also available in: Atom PDF