Bug 1724241 (CVE-2019-10177)
| Summary: | CVE-2019-10177 CloudForms: Store XSS in PDF exports feature allows code execution of Javascript and HTML input | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | akarol, dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, hkataria, jfrey, jhardy, jprause, kdixon, obarenbo, roliveri, security-response-team, simaishi, smallamp |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was found that PDF export component in CloudForms was vulnerable to cross-side scripting (XSS) as user input was not properly sanitized. An authenticated attacker with privileges to edit compute could use the XSS vulnerability against users, which could lead to arbitrary code execution, and extraction of the anti-CSRF token of a higher privileged user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-23 20:21:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1724970, 1724971 | ||
| Bug Blocks: | 1645012 | ||
|
Description
Borja Tarraso
2019-06-26 14:21:25 UTC
Acknowledgments: Name: Yadnyawalk Tale (Red Hat) This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10177 |