Bug #11859
Updated by Dominic Cleal over 8 years ago
We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.
An example on the global parameters form is:
"><script>alert("hi")</script><b c="
Store this in a parameter value, reload the page and click the "Hidden value" checkbox and the JavaScript will execute. The reverse is probably possible too.
CVE identifier requested via foreman-security@googlegroups.com.