Bug 1355663 (CVE-2016-6186)

Summary: CVE-2016-6186 django: XSS in admin's add/change related popup
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bkearney, cbillett, chrisw, cvsbot-xmlrpc, jschluet, kbasil, kseifried, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, sisharma, slong, sparks, srevivo, tdecacqu, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: django 1.9.8, django 1.8.14 Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript's Element.innerHTML to forge content in the admin's add/change related pop-up. Element.textContent is now used to prevent XSS data execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-16 00:13:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1356326, 1356327, 1356328, 1356330, 1356331, 1357701, 1357702, 1357703, 1357704, 1357726, 1357727    
Bug Blocks: 1355664    

Description Andrej Nemec 2016-07-12 07:54:41 UTC 
XSS vulnerability was found in django. Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the admin's add/change related popup. ``Element.textContent`` is now used to prevent execution of the data.

The debug view also used ``innerHTML``. Although a security issue wasn't identified there, out of an abundance of caution it's also updated to use ``textContent``.
Comment 2 Summer Long 2016-07-12 23:39:21 UTC 
Acknowledgements:

Name: the upstream Django project
Comment 8 Summer Long 2016-07-19 00:15:29 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1357702]
Comment 9 Summer Long 2016-07-19 00:15:41 UTC 
Created python-django15 tracking bugs for this issue:

Affects: epel-6 [bug 1357703]
Comment 10 Summer Long 2016-07-19 00:15:52 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1357701]
Affects: epel-7 [bug 1357704]
Comment 11 Summer Long 2016-07-19 00:53:42 UTC 
Created python-django-openstack-auth tracking bugs for this issue:

Affects: openstack-rdo [bug 1357727]
Comment 12 Summer Long 2016-07-19 00:53:52 UTC 
Created python-django-horizon tracking bugs for this issue:

Affects: openstack-rdo [bug 1357726]
Comment 16 errata-xmlrpc 2016-08-10 23:44:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 Operational Tools for RHEL 7

Via RHSA-2016:1594 https://rhn.redhat.com/errata/RHSA-2016-1594.html
Comment 17 errata-xmlrpc 2016-08-11 00:04:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:1595 https://rhn.redhat.com/errata/RHSA-2016-1595.html
Comment 18 errata-xmlrpc 2016-08-11 01:23:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:1596 https://rhn.redhat.com/errata/RHSA-2016-1596.html