Bug 2487107 (CVE-2026-53473)

Summary: CVE-2026-53473 migration-planner-ui-app: Stored XSS via javascript: URL in Agent Credential Link
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-09 18:02:47 UTC 
Repository: migration-planner-ui-app  
Priority: High  
Location: src/ui/environment/views/AgentStatusView.tsx:50 (also CreateFromOva.tsx:196, Environment.tsx:131)

Description:  
Discovery agents self-report credentialUrl when registering. The UI renders this string as react-router-dom <Link to=> prop and plain <a href> with no scheme validation. react-router-dom 6.30.3 passes absolute-scheme URLs to DOM <a href>, and React 18.3.1 only warns in dev mode about javascript: - production builds render verbatim. Users are instructed to click the link to reach the discovery VM.

Security Impact:  

Attacker registers agent with credentialUrl: "javascript:..." 

Stored payload executes in http://console.redhat.com  origin when any org user clicks link

Yields victim's RH SSO session, enabling cross-tenant data access and API actions as victim

Persistent compromise within organization

Fix Suggestion:  
Introduce safeExternalUrl() helper that parses URL and returns only if protocol is http: or https:. Gate all three render sites so non-http(s) credentialUrl doesn't render as link. See patches/f101.patch.