Bug #16022
CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
Network interface identifiers stored for hosts may contain HTML or JavaScript that allows a stored XSS (cross-site scripting) vulnerability when later viewing the host edit form.
This issue was reported by Sanket Jagtap.
CVE identifier will be assigned.
Associated revisions
Fixes #16022 - Prevent stored XSS in host interface form
The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.
(cherry picked from commit 53081ea14b30d66f0d67b62fe950a2c1463225f5)
History
#1
Updated by The Foreman Bot over 6 years ago
- Status changed from New to Ready For Testing
- Assignee set to Tomer Brisker
- Pull request https://github.com/theforeman/foreman/pull/3714 added
#2
Updated by Tomer Brisker over 6 years ago
- Target version set to 1.7.1
#3
Updated by Anonymous over 6 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 53081ea14b30d66f0d67b62fe950a2c1463225f5.
#4
Updated by Dominic Cleal over 6 years ago
- Subject changed from Network interface device identifiers may contain stored XSS on host form to CVE-2016-6320 - Network interface device identifiers may contain stored XSS on host form
#5
Updated by Daniel Lobato Garcia over 6 years ago
- Target version changed from 1.7.1 to 1.6.2
#6
Updated by Daniel Lobato Garcia over 6 years ago
- Target version changed from 1.6.2 to 1.7.1
#7
Updated by Ohad Levy about 6 years ago
- Bugzilla link set to 1421803
Fixes #16022 - Prevent stored XSS in host interface form
The host interface form may contain a stored XSS in the identifier field
allowing a user allowed to edit a host's interfaces to cause code
execution by another user viewing that host's edit form.