Bug #6149

CVE-2014-3492 - XSS in host YAML view

Added by Dominic Cleal almost 3 years ago. Updated almost 3 years ago.

Status:Closed
Priority:Urgent
Assigned To:Lukas Zapletal
Category:Security
Target version:Sprint 25
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.4.5Release relationshipAuto

Description

The host YAML view (preview of YAML data for Puppet) is vulnerable to cross-site scripting attacks, when data relating to the host (such as parameters) contains HTML content.

1. Edit a host, add a parameter with HTML as its name or value
2. View the host, click the YAML button

0001-fixes-6149-fixed-XSS-in-host-YAML-view.patch Magnifier (886 Bytes) Lukas Zapletal, 06/11/2014 02:16 PM

Associated revisions

Revision d40f5409
Added by Lukas Zapletal almost 3 years ago

fixes #6149 - fixed XSS in host YAML view (CVE-2014-3492)

History

#1 Updated by Lukas Zapletal almost 3 years ago

  • Status changed from New to Assigned
  • Assigned To set to Lukas Zapletal

Reproduced, working on a fix.

#2 Updated by Lukas Zapletal almost 3 years ago

Attached is a fix that escapes HTML.

#3 Updated by Lukas Zapletal almost 3 years ago

  • Status changed from Assigned to Ready For Testing

Please review.

#4 Updated by Dominic Cleal almost 3 years ago

  • Subject changed from EMBARGOED: XSS in host YAML view to EMBARGOED: CVE-2014-3492 - XSS in host YAML view

#5 Updated by Dominic Cleal almost 3 years ago

  • Status changed from Ready For Testing to Pending

ACK, thanks Lukas!

#6 Updated by Dominic Cleal almost 3 years ago

  • Target version changed from Sprint 24 to Sprint 25

#7 Updated by Dominic Cleal almost 3 years ago

  • Release changed from 1.5.1 to 1.4.5

#8 Updated by Dominic Cleal almost 3 years ago

  • Subject changed from EMBARGOED: CVE-2014-3492 - XSS in host YAML view to CVE-2014-3492 - XSS in host YAML view
  • Description updated (diff)
  • Private changed from Yes to No

#9 Updated by Lukas Zapletal almost 3 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100

#10 Updated by Dominic Cleal almost 3 years ago

Fixes committed to 1.4-stable, 1.5-stable and develop.

Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.

Also available in: Atom PDF