Project

General

Custom queries

Profile

Actions

Bug #4456

closed

CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page

Added by Dominic Cleal about 11 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Description
Any user who has a privilege to add bookmarks could exploit the cross site scripting vulnerability to expose other users' personal data by storing malicious scripts when adding bookmark. As the script is permanently stored, every time others access /bookmarks to view the bookmarks, they will be affected.

Severity: High

Affected URLs
http://$foreman/bookmarks

Steps
Add a bookmark with some script code(e.g. <script>alert('xss')</script>) set as its bookmark name
Access /bookmarks to view bookmarks

Result
The script will be executed.

Remedy advice
User inputs such as special characters must be validated, filtered or encoded before being returned as part of the HTML code of a page.

Reference
CWE-931 - http://cwe.mitre.org/data/definitions/931.html

Affects
Foreman 1.4.0 and higher. Foreman 1.3 and older are unaffected, they correctly escape the message.


Files

0001-fixes-bookmark-error.patch 0001-fixes-bookmark-error.patch 2.01 KB v1 patch Dominic Cleal, 02/26/2014 04:28 PM

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #4519: Renaming host with / in name causes "No route matches" errorClosedTomer Brisker03/03/2014Actions
#1

Updated by Dominic Cleal about 11 years ago

  • Subject changed from Bookmark names are vulnerable to XSS to CVE-2014-0089 - Bookmark names are vulnerable to XSS
  • Description updated (diff)
#2

Updated by Dominic Cleal about 11 years ago

#6

Updated by Dominic Cleal about 11 years ago

  • Subject changed from CVE-2014-0089 - Bookmark names are vulnerable to XSS to CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page
#7

Updated by Dominic Cleal about 11 years ago

  • Description updated (diff)
#8

Updated by Dominic Cleal about 11 years ago

  • Related to Bug #4519: Renaming host with / in name causes "No route matches" error added
#9

Updated by Dominic Cleal about 11 years ago

  • Target version changed from 1.9.1 to 1.9.0
#10

Updated by Dominic Cleal about 11 years ago

  • Due date set to 03/18/2014
#11

Updated by Dominic Cleal about 11 years ago

  • Status changed from Assigned to Pending
#13

Updated by Dominic Cleal about 11 years ago

  • Private changed from Yes to No
#14

Updated by Joseph Magen about 11 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100
#15

Updated by Dominic Cleal about 11 years ago

  • Description updated (diff)
Actions

Also available in: Atom PDF