Bug 2487073 (CVE-2026-53472)

Summary: CVE-2026-53472 migration-planner: credentialUrl Validator Accepts javascript: URLs
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in migration-planner. Insufficient validation of the `AgentStatusUpdate.CredentialUrl` field allows an authenticated attacker to store a malicious `javascript:` URL. When a victim views this URL in the Hybrid Cloud Console, it can lead to Cross-Site Scripting (XSS), enabling script execution in the victim's session and potentially disclosing sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-09 17:55:20 UTC 
Repository: migration-planner  
Priority: Medium  
Location: internal/handlers/validator/rules.go:11

Description:  
AgentStatusUpdate.CredentialUrl field is tagged validate:"url". go-playground/validator's url rule only checks RFC-3986 well-formedness, so javascript:alert(document.cookie) passes. Value is stored in Postgres and rendered as clickable link in migration-planner-ui-app inside Hybrid Cloud Console .

Security Impact:  

Backend persistence gate for stored XSS in Red Hat hybrid-cloud console

Requires agent control alone, but chains with f003→f002 for any authenticated user to plant javascript: URL in another org's source

Script execution in victim's Hybrid Cloud Console  session

Fix Suggestion:  
Parse URL at handler and reject anything whose scheme is not http or https before reaching service layer. UI should also stop rendering this field as raw href, but backend must not store malicious payload. See patches/f001.patch.