oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2015-5282: Foreman stored XSS in parameter hide checkbox

From: Dominic Cleal <dominic () cleal org>
Date: Mon, 21 Sep 2015 11:18:33 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2015-5282: Foreman is affected by a stored XSS vulnerability in
its parameter key/value web UI.

A checkbox exists to hide the values of parameters stored in the
application to mask them from casual viewing.  When changing the
hide/show checkbox, the value is masked/unmasked in the UI, but the
parameter value was not properly escaped when updating the UI which
allowed stored HTML/JS etc. to be evaluated.

Affects: Foreman 1.7.0 or higher
Fix to be released in Foreman 1.10.0

Patch:
https://github.com/theforeman/foreman/commit/4f3555b217be8723e8045f9816d
147b5f684ec57

More information:
http://theforeman.org/security.html#2015-5282
http://projects.theforeman.org/issues/11859
http://theforeman.org/

- -- 
Dominic Cleal
dominic () cleal org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlX/2XMACgkQfH0ybywrcsxlNACeJ/9XQm9eMcXf+xw3JFCSf5vY
VN0An1WwmASbhE0cci+no2LUO0fIpiOV
=V/Ke
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: