Project

General

Profile

Actions
Copy link

Bug #25275

open

Stored XSS In job invocation page

Added by Sanket Jagtap over 6 years ago. Updated over 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
foreman_remote_execution 1.6.2 (Foreman 1.20)
Red Hat JIRA:

Description

rpm -qa | grep remote
tfm-rubygem-foreman_remote_execution-1.5.6-3.el7sat.noarch
tfm-rubygem-hammer_cli_foreman_remote_execution-0.1.0-1.el7sat.noarch
rubygem-smart_proxy_remote_execution_ssh-0.2.0-3.el7sat.noarch
tfm-rubygem-foreman_remote_execution_core-1.1.3-1.el7sat.noarch

Steps:
1. Create a new Job Template https://sat-host/job_templates or clone a template
2. Edit the cloned template and Navigate to Jobs tab
3. Create a User Input with description as <svg/onload=alert('XSS')>
4. Run the template
5. Go to the Custom Field you created and click to get the description toast message

The Script is Executed.

Also , reproducible in Current stable nightly,
foreman-release-1.21.0-0.1.develop.el7.noarch
foreman-selinux-1.21.0-0.201810181136gitcedb6210.1.develop.el7.noarch
foreman-installer-1.21.0-0.201810190326gitf8d45fb0.1.develop.el7.noarch

In current upstream nightly, the above step is slightly changed and we have a separate template Input tab. But, it is still vulnerable

Files

XXS.png View XXS.png 65.3 KB Executed Script Sanket Jagtap, 10/23/2018 04:17 AM
Actions
Copy link
 #1

Updated by Sanket Jagtap over 6 years ago

Actions
Copy link

Also available in: Atom PDF