Bug #21519: CVE-2017-15100: Stored XSS in fact name or value - Foreman

Actions

Bug #21519

closed

CVE-2017-15100: Stored XSS in fact name or value

Added by Tomer Brisker about 7 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Security

Target version:

Difficulty:

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman/pull/4967

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

Sending a fact name or value containing HTML can lead to a stored XSS in the following pages:

- Facts page - When opening a chart for a fact that has HTML in it's name or as one of the values.
- Trends page - A trend containing a value that includes HTML in it.
- Statistics page - Fact values that are aggregated on the page such as manufacturer and contain HTML.

This issue has been reported by Roman Mueller.

Related issues 1 (0 open — 1 closed)

Actions

#1

Updated by Tomer Brisker about 7 years ago

Translation missing: en.field_release set to 240

Setting for 1.16 for now, will possibly do another 1.15 release if needed.

Actions

#2

Updated by Tomer Brisker about 7 years ago

Description updated (diff)

Actions

#3

Updated by The Foreman Bot about 7 years ago

Status changed from Assigned to Ready For Testing
Pull request https://github.com/theforeman/foreman/pull/4967 added

Actions

#4

Updated by Tomer Brisker about 7 years ago

Subject changed from Stored XSS in fact name or value to CVE-2017-15100: Stored XSS in fact name or value

Actions

#5

Updated by Anonymous about 7 years ago

Status changed from Ready For Testing to Closed
% Done changed from 0 to 100

Applied in changeset 81e40e3a14a90c11c4193bebc7eecb79c2cfb9b1.

Actions

#6

Updated by Bryan Kearney almost 7 years ago

Bugzilla link set to 1509442

Actions

#7

Updated by Marek Hulán over 6 years ago

Related to Bug #24834: Fact names and values are not displayed properly added

Actions

Also available in: Atom PDF