Project

General

Profile

Actions
Copy link

Bug #20963

closed

CVE-2017-7535: stored XSS in the manage organization page

Added by Tomer Brisker about 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Low
Assignee:
Tomer Brisker
Category:
Security
Target version:
1.16.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/4851
Fixed in Releases:
Found in Releases:
Smart Proxy - 1.1
Red Hat JIRA:

Description

Attempting to assign all hosts to an organization or location that contains HTML does not properly escape the html in the toast notification informing of success.
Setting priority to low since exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.

Actions
Copy link
 #1

Updated by The Foreman Bot about 7 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4851 added
Actions
Copy link
 #2

Updated by Daniel Lobato Garcia about 7 years ago

  • Translation missing: en.field_release set to 240
Actions
Copy link
 #3

Updated by Anonymous about 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF