Bug #12611
closed
CVE-2015-7518 - Smart class parameters/variables shown on host edit allows stored XSS in description
Description
Reported by Tomer Brisker to foreman-security:
I have discovered a stored XSS vulnerability in the host and hostgroup edit forms caused by smart class parameters and smart variables.
These forms display a popover that shows additional info about any of the parameters that can be overridden. The popover is rendered with HTML but contains values that can be input by a user - the parameter description, and in develop branch also the inherited value.
Effectively, any user who can edit parameters can input arbitrary HTML or JS into the description field or the default value, which will be executed once the popover is triggered by any other user.
This affects all versions of Foreman.
CVE identifier is CVE-2015-7518.
Updated by
Updated by Anonymous over 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 32468bce938067b1bbde1c2025771b5b83ce88ec.
Updated by Dominic Cleal over 9 years ago
The patch fixes a few distinct XSS paths in the same information popups:
- Source name in global parameters, e.g. the name of a host group (since #7163 in 1.7.0)
- Description field in smart variables/class parameters (since 1.2 or earlier)
- Matcher in smart variables/class parameter overrides (since 1.2 or earlier)
- Inherited value in smart variables/class parameter overrides (1.11/develop only, not released)
Updated by