Bug 2300497 (CVE-2024-41810)

Summary: CVE-2024-41810 python-twisted: Reflected XSS via HTML Injection in Redirect Response
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brking, eglynn, haoli, hkataria, jcammara, jjoyce, jmitchel, jneedle, jschluet, kshier, lbalhar, lhh, lsvaty, mabashia, mburns, mgarciac, pbraun, pgrist, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A Cross-site scripting (XSS) vulnerability exists in Python-Twisted in the twisted.web.util.redirectTo function. This flaw allows an attacker to control the redirect URL, leading to reflected XSS in the HTML body of the redirect response. If exploited, a remote attacker could inject malicious HTML, causing unauthorized JavaScript execution within the victim's browser session. This issue can result in unauthorized access to the victim’s account and data or allow the attacker to perform operations on behalf of the victim.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2301621, 2301625, 2301617, 2301618, 2301619, 2301620, 2301622, 2301623, 2301624, 2301626    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-29 16:24:21 UTC 
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
Comment 1 Abhishek Raj 2024-07-30 08:21:50 UTC 
References:
[1] https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33 (24.7.0rc1)
[2] https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2
Comment 2 Lumír Balhar 2024-07-31 07:58:58 UTC 
Important info from https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2:

Note: Due to the different ways browsers validate the redirect Location header, this attack is possible only in Firefox. All other tested browsers will display an error message to the user and will not render the HTML body.
Comment 3 errata-xmlrpc 2024-09-27 04:31:15 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:7312 https://access.redhat.com/errata/RHSA-2024:7312