Bug 1638130 (CVE-2018-14664)
| Summary: | CVE-2018-14664 foreman: Persisted XSS on all pages that use breadcrumbs | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bbuckingham, bcourt, bkearney, mhulan, mmccune, mrike, ohadlevy, rchan, rjerrido |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | foreman 1.18.3, foreman 1.19.1, foreman 1.20.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:39:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1652999 | ||
| Bug Blocks: | 1637736 | ||
|
Description
Laura Pardo
2018-10-10 19:43:34 UTC
Acknowledgments: Name: Sanket Jagtap (Red Hat Pune India) External References: https://projects.theforeman.org/issues/25169 *** Bug 1645190 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222 |