Bug #17195
closed
CVE-2016-8634 - Organization/location wizard may run stored XSS through alert
Description
When creating an organization or location, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML.
This occurs in the alert box stating that "Assigning hosts to ... will also update ... to include all the resources that the selected hosts are currently using."
This may permit a stored XSS attack if an organization with HTML in its name was added, then a user was directed to the specific URL of the wizard. However there are no direct links back to the wizard, so ordinarily this would only affect the user who created the org/location.
Affects Foreman 1.1 and higher.
Reported by Sanket Jagtap to foreman-security@googlegroups.com.
Updated by Dominic Cleal about 8 years ago
- Subject changed from Organization/location wizard may run stored XSS through alert to CVE-2016-8634 - Organization/location wizard may run stored XSS through alert
Updated by Tomer Brisker about 8 years ago
- Status changed from New to Assigned
- Assignee set to Tomer Brisker
Updated by The Foreman Bot about 8 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3996 added
Updated by Anonymous about 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 5a573456b5ecb3ba0d24e057722704f9afeda8f7.