Project

General

Profile

Bug #6580

CVE-2014-3531 - XSS in operating system name / description

Added by Dominic Cleal over 4 years ago. Updated 5 months ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Reported by Jan Hutaƙ via RHBZ:

There is a possible XSS with operating system name/description.

Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140605.0

How reproducible:
always

Steps to Reproduce:
1. Go to Hosts -> Operating systems -> Create new operating system
2. Fill "Name: T<b>OD</b>O" in
- OR -
Fill some "Name" and "Description: T<b>OD</b>O" in
3. Submit

Actual results:
In a list of operating systems unescaped string is displayed

Expected results:
HTML should be escaped

Associated revisions

Revision 98e584f5 (diff)
Added by Daniel Lobato Garcia over 4 years ago

Fixes #6580 - XSS in operating system name/description (CVE-2014-3531)

Revision bc7e27c5 (diff)
Added by Daniel Lobato Garcia over 4 years ago

Fixes #6580 - XSS in operating system name/description (CVE-2014-3531)

(cherry picked from commit 98e584f5a7860fb92a9916d5e5ec524372e3f8ae)

History

#1 Updated by Dominic Cleal over 4 years ago

  • Subject changed from XSS in operating system name / description to CVE-2014-3531 - XSS in operating system name / description

#2 Updated by Daniel Lobato Garcia over 4 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/1580 added
  • Pull request deleted ()

#3 Updated by Daniel Lobato Garcia over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by The Foreman Bot over 4 years ago

  • Status changed from Closed to Ready For Testing

#5 Updated by Dominic Cleal over 4 years ago

  • Status changed from Ready For Testing to Closed

#6 Updated by Dominic Cleal over 4 years ago

Fix released today in Foreman 1.5.2. Details posted on http://theforeman.org/security.html#2014-3531.

Also available in: Atom PDF