Bug 1172934 (CVE-2014-7812)

Summary: CVE-2014-7812 Red Hat Satellite, Spacewalk: XSS in system-group
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Jan Hutař <jhutar>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, cperry, jhutar, mmraka, security-response-team, taw, tjay, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-12 18:08:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1156307    
Bug Blocks: 1144629    

Description Kurt Seifried 2014-12-11 06:27:10 UTC 
Mickaël Gallier reports:

There are several stored XSS vulnerabilities in various fields in Satellite 
server, they can be exploited by using the REST API to send XML data 
containing malformed data. 

One of these is in the system-group handling. Please see CVE-014-7811 for 
the other vulnerabilities.
Comment 2 Kurt Seifried 2015-01-09 17:25:58 UTC 
Acknowledgement:

Red Hat would like to thank Mickaël Gallier for reporting this issue.
Comment 6 errata-xmlrpc 2015-01-12 17:12:51 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.7

Via RHSA-2015:0033 https://rhn.redhat.com/errata/RHSA-2015-0033.html
Comment 7 errata-xmlrpc 2015-01-13 17:27:14 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.7

Via RHSA-2015:0033 https://rhn.redhat.com/errata/RHSA-2015-0033.html