Project

General

Profile

Actions
Copy link

Bug #16019

closed

CVE-2016-6319 - Persistent XSS in job invocation form triggered by unescaped user input name

Added by Marek Hulán over 7 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Marek Hulán
Category:
Foreman
Target version:
1.6.3
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The value is used for label in job invocation form. The vulnerability/fix belongs to Foreman which stopped escaping the label since [1.6.0](https://github.com/theforeman/foreman/commit/2af7c64a3b9c2699a3131483bc2344b50c138542#diff-d07b3cdd6c00768e06bfed349d3c808fR157).

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #16024: Foreman form helpers do not escape JS when rendering labelClosedMarek Hulán08/09/2016Actions
Actions
Copy link
 #1

Updated by Marek Hulán over 7 years ago

  • Related to Bug #16024: Foreman form helpers do not escape JS when rendering label added
Actions
Copy link
 #2

Updated by Marek Hulán over 7 years ago

  • Subject changed from Persistent XSS in job invocation form triggered by unescaped user input name to CVE-2016-6319 - Persistent XSS in job invocation form triggered by unescaped user input name
  • Status changed from New to Ready For Testing
Actions
Copy link
 #3

Updated by Marek Hulán over 7 years ago

  • Status changed from Ready For Testing to Resolved

Foreman fix was merged to develop branch, the tracking issue is currently set to 1.12.2 so the fix should be in next stable release.

Actions
Copy link

Also available in: Atom PDF