Project

General

Profile

Actions

Bug #11859

closed

CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change

Added by Dominic Cleal about 9 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.

An example on the global parameters form is:

"><script>alert("hi")</script><b c="

Store this in a parameter value, reload the page and click the "Hidden value" checkbox and the JavaScript will execute. The reverse is probably possible too.

Actions #1

Updated by The Foreman Bot about 9 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2736 added
  • Pull request deleted ()
Actions #2

Updated by Dominic Cleal about 9 years ago

  • Subject changed from Parameter hide/show checkbox allows XSS during textbox change to CVE-2015-5282 - Parameter hide/show checkbox allows stored XSS during textbox change
  • Description updated (diff)
Actions #3

Updated by Dominic Cleal about 9 years ago

  • Assignee set to Shlomi Zadok
Actions #4

Updated by Shlomi Zadok about 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #5

Updated by Bryan Kearney almost 9 years ago

  • Bugzilla link set to 1268995
Actions

Also available in: Atom PDF