oss-sec mailing list archives
CVE-2016-6319: Foreman stored XSS in form label helpers
From: Dominic Cleal <dominic () cleal org>
Date: Wed, 24 Aug 2016 14:07:01 +0100
CVE-2016-6319: Foreman stored XSS in form label helpers The "label" parameter of all form helpers used to construct web UI components was not escaped allowing XSS (cross-site scripting). The Foreman itself did not contain exploitable code but other plugins that relied on these form helpers could be vulnerable. One known vulnerable plugin is Remote Execution. All versions of this plugin are affected. Affects Foreman 1.6.0 and higher Fix released in Foreman 1.12.2 Patch: https://github.com/theforeman/foreman/commit/0f35fe14acf0d0d3b55e9337bc5e2b9640ff2372 More information: https://theforeman.org/security.html#2016-6319 http://projects.theforeman.org/issues/16024 https://theforeman.org -- Dominic Cleal dominic () cleal org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2016-6319: Foreman stored XSS in form label helpers Dominic Cleal (Aug 24)