Bug 1144628 (CVE-2014-3654)

Summary: CVE-2014-3654 Satellite: Spacewalk contains multiple XSS (stored and reflected)
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, cperry, ggainey, jrusnack, magoldma, mmraka, security-response-team, sherr, sparks, taw, tjay, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Stored and reflected cross-site scripting (XSS) flaws were found in the way spacewalk-java displayed certain information. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-30 21:35:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1144630, 1144631, 1144632, 1144633, 1144634, 1153707    
Bug Blocks: 1144629    

Description Kurt Seifried 2014-09-20 00:54:56 UTC 
Ron Bowes of Google reports:

Stored cross-site scripting in /rhn/kickstart/cobbler/CustomSnippetList.do

Reflected cross-site scripting in /rhn/channels/software/Entitlements.do

Reflected cross-site scripting in /rhn/admin/multiorg/OrgUsers.do (note:
these are in a POST request of a CSRF-protected page, so this is likely
only self-XSS)
Comment 8 Martin Prpič 2014-10-21 09:39:40 UTC 
IssueDescription:

Stored and reflected cross-site scripting (XSS) flaws were found in the way spacewalk-java displayed certain information. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data.
Comment 10 errata-xmlrpc 2014-10-30 17:12:13 UTC 
This issue has been addressed in the following products:

  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:1762 https://rhn.redhat.com/errata/RHSA-2014-1762.html
Comment 11 Kurt Seifried 2014-10-31 04:25:23 UTC 
Acknowledgement:

Red Hat would like to thank Ron Bowes of Google for reporting this issue.