Bug #11859
CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.
An example on the global parameters form is:
"><script>alert("hi")</script><b c="
Store this in a parameter value, reload the page and click the "Hidden value" checkbox and the JavaScript will execute. The reverse is probably possible too.
Associated revisions
History
#1
Updated by The Foreman Bot over 7 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2736 added
- Pull request deleted (
)
#2
Updated by Dominic Cleal over 7 years ago
- Subject changed from Parameter hide/show checkbox allows XSS during textbox change to CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
- Description updated (diff)
#3
Updated by Dominic Cleal over 7 years ago
- Assignee set to Shlomi Zadok
#4
Updated by Shlomi Zadok over 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 4f3555b217be8723e8045f9816d147b5f684ec57.
#5
Updated by Bryan Kearney over 7 years ago
- Bugzilla link set to 1268995
Fixes #11859 - handle HTML in parameters safely when hiding values (CVE-2015-5282)