Bug 1255168 (CVE-2015-5215)

Summary: CVE-2015-5215 ipsilon: XSS in multiple pages
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: puiterwijk, rcritten, slong, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the Ipsilon IdP server used the default configuration of the Jinja templating engine, which did not HTML escape template variables. This could be exploited to perform an XSS attack if a value from untrusted input was used in the template and rendered in the user`s browser.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:46:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1255176, 1255775    
Bug Blocks: 1255174    

Description Kurt Seifried 2015-08-19 20:22:05 UTC 
Michael Scherer of Red Hat reports:

ipsilon does not escape HTML when processing templates.
Comment 1 Simo Sorce 2015-08-19 20:35:11 UTC 
Can you please be a little biut more specific ?
As far as I know jinja2 escapes by default and I am not aware that we are using manual escaping anywhere.
Comment 2 Kurt Seifried 2015-08-19 20:35:55 UTC 
Created ipsilon tracking bugs for this issue:

Affects: fedora-all [bug 1255176]
Comment 4 Simo Sorce 2015-08-19 20:43:31 UTC 
Uhm re-reading jinja2 documentation 3 times I finally see they say the escaping is not enabled automatically now :-(
Comment 6 Ilya Etingof 2015-08-24 08:36:01 UTC 
Acknowledgement:

This issue was discovered by Michael Scherer of Red Hat.
Comment 7 Ján Rusnačko 2015-08-24 08:44:41 UTC 
Analysis:

It was found that Ipsilon used default configuration of Jinja templating engine, which did not html escape template variables. This could be exploited to perform XSS attack if a value from untrusted input was used in the template that is rendered to the user`s browser.