Project

General

Custom queries

Profile

Actions
Copy link

Bug #12611

closed

CVE-2015-7518 - Smart class parameters/variables shown on host edit allows stored XSS in description

Added by Dominic Cleal over 9 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tomer Brisker
Category:
Security
Target version:
1.10.0
Difficulty:
Triaged:
Bugzilla link:
1297040
Pull request:
https://github.com/theforeman/foreman/pull/2936
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Reported by Tomer Brisker to foreman-security:

I have discovered a stored XSS vulnerability in the host and hostgroup edit forms caused by smart class parameters and smart variables.

These forms display a popover that shows additional info about any of the parameters that can be overridden. The popover is rendered with HTML but contains values that can be input by a user - the parameter description, and in develop branch also the inherited value.

Effectively, any user who can edit parameters can input arbitrary HTML or JS into the description field or the default value, which will be executed once the popover is triggered by any other user.

This affects all versions of Foreman.

CVE identifier is CVE-2015-7518.

Related issues 2 (1 open1 closed)

Related to Foreman - Feature #7163: In host's edit page, show the source for the value of puppet class parametersClosed08/20/2014Actions
Related to Foreman - Feature #15495: URL's in parameter descriptionNew06/22/2016Actions
Actions
Copy link
 #1

Updated by Dominic Cleal over 9 years ago

  • Subject changed from Smart class parameters/variables shown on host edit allows stored XSS in description to CVE-2015-7518 - Smart class parameters/variables shown on host edit allows stored XSS in description
  • Description updated (diff)
Actions
Copy link
 #2

Updated by The Foreman Bot over 9 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/2936 added
Actions
Copy link
 #3

Updated by Anonymous over 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Dominic Cleal over 9 years ago

  • Translation missing: en.field_release set to 63
Actions
Copy link
 #5

Updated by Dominic Cleal over 9 years ago

The patch fixes a few distinct XSS paths in the same information popups:

  1. Source name in global parameters, e.g. the name of a host group (since #7163 in 1.7.0)
  2. Description field in smart variables/class parameters (since 1.2 or earlier)
  3. Matcher in smart variables/class parameter overrides (since 1.2 or earlier)
  4. Inherited value in smart variables/class parameter overrides (1.11/develop only, not released)
Actions
Copy link
 #6

Updated by Dominic Cleal over 9 years ago

  • Related to Feature #7163: In host's edit page, show the source for the value of puppet class parameters added
Actions
Copy link
 #7

Updated by Bryan Kearney over 9 years ago

  • Bugzilla link set to 1297040
Actions
Copy link
 #8

Updated by Dominic Cleal almost 9 years ago

Actions
Copy link

Also available in: Atom PDF