CVE-2014-3492 - XSS in host YAML view
The host YAML view (preview of YAML data for Puppet) is vulnerable to cross-site scripting attacks, when data relating to the host (such as parameters) contains HTML content.
1. Edit a host, add a parameter with HTML as its name or value
2. View the host, click the YAML button
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
Reproduced, working on a fix.
Attached is a fix that escapes HTML.
- Status changed from Assigned to Ready For Testing
- Subject changed from EMBARGOED: XSS in host YAML view to EMBARGOED: CVE-2014-3492 - XSS in host YAML view
- Status changed from Ready For Testing to Pending
- Target version changed from 1.8.2 to 1.8.1
- Legacy Backlogs Release (now unused) changed from 16 to 19
- Subject changed from EMBARGOED: CVE-2014-3492 - XSS in host YAML view to CVE-2014-3492 - XSS in host YAML view
- Description updated (diff)
- Private changed from Yes to No
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Fixes committed to 1.4-stable, 1.5-stable and develop.
Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.
Also available in: Atom