Project

General

Custom queries

Profile

Actions
Copy link

Bug #21519

closed

CVE-2017-15100: Stored XSS in fact name or value

Added by Tomer Brisker over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tomer Brisker
Category:
Security
Target version:
1.16.0
Difficulty:
Triaged:
Bugzilla link:
1509442
Pull request:
https://github.com/theforeman/foreman/pull/4967
Fixed in Releases:
Found in Releases:
1.2.0
Red Hat JIRA:

Description

Sending a fact name or value containing HTML can lead to a stored XSS in the following pages:

- Facts page - When opening a chart for a fact that has HTML in it's name or as one of the values.
- Trends page - A trend containing a value that includes HTML in it.
- Statistics page - Fact values that are aggregated on the page such as manufacturer and contain HTML.

This issue has been reported by Roman Mueller.

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #24834: Fact names and values are not displayed properlyClosedb shActions
#1

Updated by Tomer Brisker over 7 years ago

  • Translation missing: en.field_release set to 240
#2

Updated by Tomer Brisker over 7 years ago

  • Description updated (diff)
#3

Updated by The Foreman Bot over 7 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4967 added
#4

Updated by Tomer Brisker over 7 years ago

  • Subject changed from Stored XSS in fact name or value to CVE-2017-15100: Stored XSS in fact name or value
#5

Updated by Anonymous over 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
#6

Updated by Bryan Kearney about 7 years ago

  • Bugzilla link set to 1509442
#7

Updated by Marek Hulán over 6 years ago

  • Related to Bug #24834: Fact names and values are not displayed properly added
Actions
Copy link

Also available in: Atom PDF