Bug #16022

CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

Added by Dominic Cleal over 1 year ago. Updated 8 months ago.

Status:Closed
Priority:Normal
Assigned To:Tomer Brisker
Category:Security
Target version:Team Daniel - iteration 1
Difficulty: Bugzilla link:1421803
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3714
Story points-
Velocity based estimate-
Release1.12.2Release relationshipAuto

Description

Network interface identifiers stored for hosts may contain HTML or JavaScript that allows a stored XSS (cross-site scripting) vulnerability when later viewing the host edit form.

This issue was reported by Sanket Jagtap.

CVE identifier will be assigned.

Associated revisions

Revision 53081ea1
Added by Tomer Brisker over 1 year ago

Fixes #16022 - Prevent stored XSS in host interface form

The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.

Revision 2ab766fa
Added by Tomer Brisker about 1 year ago

Fixes #16022 - Prevent stored XSS in host interface form

The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.

(cherry picked from commit 53081ea14b30d66f0d67b62fe950a2c1463225f5)

History

#1 Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/3714 added

#2 Updated by Tomer Brisker over 1 year ago

  • Target version set to Team Daniel - iteration 1

#3 Updated by Anonymous over 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Dominic Cleal over 1 year ago

  • Subject changed from Network interface device identifiers may contain stored XSS on host form to CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

#5 Updated by Daniel Lobato Garcia about 1 year ago

  • Target version changed from Team Daniel - iteration 1 to Team Daniel - iteration 2

#6 Updated by Daniel Lobato Garcia about 1 year ago

  • Target version changed from Team Daniel - iteration 2 to Team Daniel - iteration 1

#7 Updated by Ohad Levy 8 months ago

  • Bugzilla link set to 1421803

Also available in: Atom PDF