Bug #16024

Foreman form helpers do not escape JS when rendering label

Added by Marek Hulán 8 months ago. Updated 8 months ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Security
Target version:Team Marek Iteration 1
Difficulty: Bugzilla link:
Found in release:1.6.0 Pull request:https://github.com/theforeman/foreman/pull/3715
Story points-
Velocity based estimate-
Release1.12.2Release relationshipAuto

Description

The issue was introduced in Foreman 1.6. There's only one dynamic :label => in Foreman that uses MailNotification name which we don't allow users to modify so there's no vulnerable code in Foreman. But remote execution plugin that rely on this label to be escaped. Setting to 1.12.2, feel free to reset. For REX this is pretty important though.


Related issues

Related to Foreman Remote Execution - Bug #16019: CVE-2016-6319 - Persistent XSS in job invocation form tri... Resolved 08/09/2016

Associated revisions

Revision 0f35fe14
Added by Marek Hulán 8 months ago

Fixes #16024 - escape labels of form fields

History

#1 Updated by The Foreman Bot 8 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3715 added

#2 Updated by Marek Hulán 8 months ago

  • Category changed from Web Interface to Security

#3 Updated by Marek Hulán 8 months ago

  • Related to Bug #16019: CVE-2016-6319 - Persistent XSS in job invocation form triggered by unescaped user input name added

#4 Updated by Marek Hulán 8 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF