Actions
Bug #6149
closed
CVE-2014-3492 - XSS in host YAML view
Description
The host YAML view (preview of YAML data for Puppet) is vulnerable to cross-site scripting attacks, when data relating to the host (such as parameters) contains HTML content.
1. Edit a host, add a parameter with HTML as its name or value
2. View the host, click the YAML button
Files
Updated by Lukas Zapletal almost 10 years ago
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
Reproduced, working on a fix.
Updated by Lukas Zapletal almost 10 years ago
- File 0001-fixes-6149-fixed-XSS-in-host-YAML-view.patch 0001-fixes-6149-fixed-XSS-in-host-YAML-view.patch added
Attached is a fix that escapes HTML.
Updated by Lukas Zapletal almost 10 years ago
- Status changed from Assigned to Ready For Testing
Please review.
Updated by Dominic Cleal almost 10 years ago
- Subject changed from EMBARGOED: XSS in host YAML view to EMBARGOED: CVE-2014-3492 - XSS in host YAML view
Updated by Dominic Cleal almost 10 years ago
- Status changed from Ready For Testing to Pending
ACK, thanks Lukas!
Updated by Dominic Cleal almost 10 years ago
- Target version changed from 1.8.2 to 1.8.1
Updated by Dominic Cleal almost 10 years ago
- translation missing: en.field_release changed from 16 to 19
Updated by Dominic Cleal almost 10 years ago
- Subject changed from EMBARGOED: CVE-2014-3492 - XSS in host YAML view to CVE-2014-3492 - XSS in host YAML view
- Description updated (diff)
- Private changed from Yes to No
Updated by Lukas Zapletal almost 10 years ago
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Applied in changeset d40f5409ac36c1eab7b8a5ccf3d91cc6db90ce70.
Updated by Dominic Cleal almost 10 years ago
Fixes committed to 1.4-stable, 1.5-stable and develop.
Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.
Actions