Bug #20963

CVE-2017-7535: stored XSS in the manage organization page

Added by Tomer Brisker 2 months ago. Updated 2 months ago.

Status:Closed
Priority:Low
Assigned To:Tomer Brisker
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release:1.1 Pull request:https://github.com/theforeman/foreman/pull/4851
Story points-
Velocity based estimate-
Release1.16.0Release relationshipAuto

Description

Attempting to assign all hosts to an organization or location that contains HTML does not properly escape the html in the toast notification informing of success.
Setting priority to low since exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.

Associated revisions

Revision b8db2f93
Added by Tomer Brisker 2 months ago

Fixes #20963 - CVE-2017-7535 prevent XSS on org/loc host assign

Revision 08aea206
Added by Tomer Brisker 2 months ago

Fixes #20963 - CVE-2017-7535 prevent XSS on org/loc host assign

(cherry picked from commit b8db2f931208992d6bcff44a2d20101637f6c232)

History

#1 Updated by The Foreman Bot 2 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4851 added

#2 Updated by Daniel Lobato Garcia 2 months ago

  • Release set to 1.16.0

#3 Updated by Anonymous 2 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF