CVE-2017-15100: Stored XSS in fact name or value
|Assigned To:||Tomer Brisker|
|Found in release:||1.2.0||Pull request:||https://github.com/theforeman/foreman/pull/4967|
|Velocity based estimate||-|
Sending a fact name or value containing HTML can lead to a stored XSS in the following pages:
- Facts page - When opening a chart for a fact that has HTML in it's name or as one of the values.
- Trends page - A trend containing a value that includes HTML in it.
- Statistics page - Fact values that are aggregated on the page such as manufacturer and contain HTML.
This issue has been reported by Roman Mueller.