Bug 1145398 (CVE-2014-3653)

Summary: CVE-2014-3653 foreman: cross-site scripting (XSS) flaw in template preview screen
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, dallan, gkotton, gmollett, jrusnack, katello-bugs, lhh, lpeer, markmc, mburns, mmccune, rbryant, rhos-maint, sclewis, tjay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: foreman 1.6.1 Doc Type: Bug Fix
Doc Text:
A cross-site scripting (XSS) flaw was found in Foreman's template preview screen. A remote attacker could use this flaw to perform cross-site scripting attacks by tricking a user into viewing a malicious template. Note that templates are commonly shared among users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-22 01:58:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1186745    
Bug Blocks: 1145400, 1253077    
Attachments:
Description Flags
43cc21bbc1a402d18c3462b38443b6bb86ab8097.patch
none
86b1f2f50be2b3a2350c5969da47dc15e8a8664a.patch none

Description Murray McAllister 2014-09-23 02:06:08 UTC 
A cross-site scripting (XSS) flaw was reported in Foreman's template preview screen. If a user were tricked into viewing a malicious template, it would lead to cross-site scripting attacks. Note that templates are commonly shared among users.

This issue was reported in version 1.6.0; however, older versions may also be vulnerable.

Upstream fix:

https://github.com/theforeman/foreman/pull/1778

References:

http://projects.theforeman.org/issues/7483
Comment 4 Kurt Seifried 2015-01-22 19:51:56 UTC 
Created attachment 983028 [details]
43cc21bbc1a402d18c3462b38443b6bb86ab8097.patch
Comment 5 Kurt Seifried 2015-01-22 19:52:13 UTC 
Created attachment 983029 [details]
86b1f2f50be2b3a2350c5969da47dc15e8a8664a.patch
Comment 7 errata-xmlrpc 2015-08-12 04:51:56 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.1

Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591
Comment 8 errata-xmlrpc 2015-08-12 05:16:55 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.1

Via RHSA-2015:1592 https://access.redhat.com/errata/RHSA-2015:1592