Bug 1517396 (CVE-2017-15125)
Summary: | CVE-2017-15125 cloudforms: XSS in self-service UI snapshot feature | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cpelland, dajohnso, dclarizi, gblomqui, gmccullo, gtanzill, hhudgeon, jfrey, jhardy, jprause, obarenbo, roliveri, security-response-team, simaishi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | cfme 5.9.0.22 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in CloudForms in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-01 14:23:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1536094, 1536095, 1536534 | ||
Bug Blocks: | 1517389 |
Description
Pedro Sampaio
2017-11-24 20:40:52 UTC
Acknowledgments: Name: Yadnyawalk Tale (Red Hat) Workaround: The CloudForms CSP (Content Security Policy) will prevent exploitation of this, newer versions of the Firefox and Chrome web browsers support CSP and as such users of them are not affected by this XSS. This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2018:0380 https://access.redhat.com/errata/RHSA-2018:0380 Statement: This issue affects the versions of cfme as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |