Bug #17195

CVE-2016-8634 - Organization/location wizard may run stored XSS through alert

Added by Dominic Cleal 4 months ago. Updated 3 months ago.

Status:Closed
Priority:Normal
Assigned To:Tomer Brisker
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3996
Story points-
Velocity based estimate-
Release1.14.0Release relationshipAuto

Description

When creating an organization or location, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML.

This occurs in the alert box stating that "Assigning hosts to ... will also update ... to include all the resources that the selected hosts are currently using."

This may permit a stored XSS attack if an organization with HTML in its name was added, then a user was directed to the specific URL of the wizard. However there are no direct links back to the wizard, so ordinarily this would only affect the user who created the org/location.

Affects Foreman 1.1 and higher.

Reported by Sanket Jagtap to .

Associated revisions

Revision 5a573456
Added by Tomer Brisker 3 months ago

Fixes #17195 - CVE-2016-8634 escape html in alert text

The alert helper used to mark the alert text as html_safe by default.
However, in some cases it may be possible for a user to enter custom
text into the alert message leading to a possible XSS vulnerability.
This patch changes this so that text is escaped unless expilicitly
marked as html_safe in the code.

History

#1 Updated by Dominic Cleal 4 months ago

  • Subject changed from Organization/location wizard may run stored XSS through alert to CVE-2016-8634 - Organization/location wizard may run stored XSS through alert

#2 Updated by Tomer Brisker 4 months ago

  • Status changed from New to Assigned
  • Assigned To set to Tomer Brisker

#3 Updated by The Foreman Bot 4 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3996 added

#4 Updated by Anonymous 3 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF