Bug #6580
CVE-2014-3531 - XSS in operating system name / description
Description
Reported by Jan HutaĆ via RHBZ:
There is a possible XSS with operating system name/description.
Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140605.0
How reproducible:
always
Steps to Reproduce:
1. Go to Hosts -> Operating systems -> Create new operating system
2. Fill "Name: T<b>OD</b>O" in
- OR -
Fill some "Name" and "Description: T<b>OD</b>O" in
3. Submit
Actual results:
In a list of operating systems unescaped string is displayed
Expected results:
HTML should be escaped
Associated revisions
Fixes #6580 - XSS in operating system name/description (CVE-2014-3531)
(cherry picked from commit 98e584f5a7860fb92a9916d5e5ec524372e3f8ae)
History
#1
Updated by Dominic Cleal over 8 years ago
Updated by - Subject changed from XSS in operating system name / description to CVE-2014-3531 - XSS in operating system name / description
#2
Updated by Daniel Lobato Garcia over 8 years ago
Updated by - Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/1580 added
- Pull request deleted (
)
#3
Updated by Daniel Lobato Garcia over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 98e584f5a7860fb92a9916d5e5ec524372e3f8ae.
#4
Updated by The Foreman Bot over 8 years ago
Updated by - Status changed from Closed to Ready For Testing
#5
Updated by Dominic Cleal over 8 years ago
- Status changed from Ready For Testing to Closed
#6
Updated by Dominic Cleal over 8 years ago
Fix released today in Foreman 1.5.2. Details posted on http://theforeman.org/security.html#2014-3531.
Fixes #6580 - XSS in operating system name/description (CVE-2014-3531)