Project

General

Profile

Bug #21519

CVE-2017-15100: Stored XSS in fact name or value

Added by Tomer Brisker 11 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Sending a fact name or value containing HTML can lead to a stored XSS in the following pages:

- Facts page - When opening a chart for a fact that has HTML in it's name or as one of the values.
- Trends page - A trend containing a value that includes HTML in it.
- Statistics page - Fact values that are aggregated on the page such as manufacturer and contain HTML.

This issue has been reported by Roman Mueller.


Related issues

Related to Foreman - Bug #24834: Fact names and values are not displayed properly New

Associated revisions

Revision 81e40e3a (diff)
Added by Tomer Brisker 11 months ago

Fixes #21519 - Prevent stored XSS on fact charts

History

#1 Updated by Tomer Brisker 11 months ago

  • Legacy Backlogs Release (now unused) set to 240

Setting for 1.16 for now, will possibly do another 1.15 release if needed.

#2 Updated by Tomer Brisker 11 months ago

  • Description updated (diff)

#3 Updated by The Foreman Bot 11 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4967 added

#4 Updated by Tomer Brisker 11 months ago

  • Subject changed from Stored XSS in fact name or value to CVE-2017-15100: Stored XSS in fact name or value

#5 Updated by Anonymous 11 months ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#6 Updated by Bryan Kearney 6 months ago

  • Bugzilla link set to 1509442

#7 Updated by Marek Hulán 13 days ago

  • Related to Bug #24834: Fact names and values are not displayed properly added

Also available in: Atom PDF