Bug 1743100 (CVE-2019-11776)
| Summary: | CVE-2019-11776 eclipse-birt: report viewer allows reflected XSS in __format url parameter | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | akurtako |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A reflected cross-site scripting (XSS) vulnerability was found in the Eclipse BIRT Report Viewer. Specifically, the __format parameter is not sufficiently sanitized, allowing JavaScript to be inserted in the URL. A remote attacker can exploit this flaw to execute JavaScript code within the context of the affected user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-01-31 14:09:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1743101 | ||
|
Description
Dhananjay Arunesh
2019-08-19 06:02:33 UTC
Statement: This flaw did not affect the versions of eclipse-birt as shipped with Red Hat Enterprise Linux 6, as they did not include the BIRT Viewer component. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11776 |