Bug 1847605 (CVE-2020-10777)
Summary: | CVE-2020-10777 CloudForms: Cross Site Scripting in report menu title / HTML Code Injection | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Yadnyawalk Tale <ytale> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akarol, dmetzger, gmccullo, gtanzill, jfrey, jhardy, obarenbo, roliveri, security-response-team, simaishi, smallamp |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | cfme-gemset 5.11.7.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Report Menu of Red Hat CloudForms where the title field was not properly sanitized for HTML and JavaScript inputs. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that Content Security Policy can prevent exploitation of this XSS however not all browsers support CSP.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-08-06 19:27:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1847612 | ||
Bug Blocks: | 1847589 |
Description
Yadnyawalk Tale
2020-06-16 16:48:36 UTC
Upstream patch: https://github.com/ManageIQ/manageiq-ui-classic/pull/3900 Acknowledgments: Name: Purnachand Pulahari (IBM), Ranjit Kumar Singh (IBM) This issue has been addressed in the following products: CloudForms Management Engine 5.11 Via RHSA-2020:3358 https://access.redhat.com/errata/RHSA-2020:3358 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10777 |