Project

General

Profile

Actions

Bug #6149

closed

CVE-2014-3492 - XSS in host YAML view

Added by Dominic Cleal over 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Urgent
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

The host YAML view (preview of YAML data for Puppet) is vulnerable to cross-site scripting attacks, when data relating to the host (such as parameters) contains HTML content.

1. Edit a host, add a parameter with HTML as its name or value
2. View the host, click the YAML button


Files

Actions #1

Updated by Lukas Zapletal over 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Lukas Zapletal

Reproduced, working on a fix.

Actions #3

Updated by Lukas Zapletal over 9 years ago

  • Status changed from Assigned to Ready For Testing

Please review.

Actions #4

Updated by Dominic Cleal over 9 years ago

  • Subject changed from EMBARGOED: XSS in host YAML view to EMBARGOED: CVE-2014-3492 - XSS in host YAML view
Actions #5

Updated by Dominic Cleal over 9 years ago

  • Status changed from Ready For Testing to Pending

ACK, thanks Lukas!

Actions #6

Updated by Dominic Cleal over 9 years ago

  • Target version changed from 1.8.2 to 1.8.1
Actions #7

Updated by Dominic Cleal over 9 years ago

  • translation missing: en.field_release changed from 16 to 19
Actions #8

Updated by Dominic Cleal over 9 years ago

  • Subject changed from EMBARGOED: CVE-2014-3492 - XSS in host YAML view to CVE-2014-3492 - XSS in host YAML view
  • Description updated (diff)
  • Private changed from Yes to No
Actions #9

Updated by Lukas Zapletal over 9 years ago

  • Status changed from Pending to Closed
  • % Done changed from 0 to 100
Actions #10

Updated by Dominic Cleal over 9 years ago

Fixes committed to 1.4-stable, 1.5-stable and develop.

Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.

Actions

Also available in: Atom PDF