Project

General

Profile

Bug #16022

CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

Added by Dominic Cleal about 2 years ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Network interface identifiers stored for hosts may contain HTML or JavaScript that allows a stored XSS (cross-site scripting) vulnerability when later viewing the host edit form.

This issue was reported by Sanket Jagtap.

CVE identifier will be assigned.

Associated revisions

Revision 53081ea1 (diff)
Added by Tomer Brisker about 2 years ago

Fixes #16022 - Prevent stored XSS in host interface form

The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.

Revision 2ab766fa (diff)
Added by Tomer Brisker about 2 years ago

Fixes #16022 - Prevent stored XSS in host interface form

The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.

(cherry picked from commit 53081ea14b30d66f0d67b62fe950a2c1463225f5)

History

#1 Updated by The Foreman Bot about 2 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/3714 added

#2 Updated by Tomer Brisker about 2 years ago

  • Target version set to 1.7.1

#3 Updated by Anonymous about 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Dominic Cleal about 2 years ago

  • Subject changed from Network interface device identifiers may contain stored XSS on host form to CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form

#5 Updated by Daniel Lobato Garcia about 2 years ago

  • Target version changed from 1.7.1 to 1.6.2

#6 Updated by Daniel Lobato Garcia about 2 years ago

  • Target version changed from 1.6.2 to 1.7.1

#7 Updated by Ohad Levy over 1 year ago

  • Bugzilla link set to 1421803

Also available in: Atom PDF