Bug 2491886 (CVE-2026-13083)
| Summary: | CVE-2026-13083 pen-drive: pen-drive: stored XSS via unescaped cluster data in HTML report | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | derez |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
A flaw was found in the Pen Drive tool's HTML report generation. When Pen Drive runs a full-run against an OpenShift cluster or a must-gather archive, it generates an HTML report containing cluster data. Cluster-sourced fields — including the ClusterVersion spec.channel, CatalogSource metadata, and Subscription configuration — are rendered directly into the HTML output without escaping or sanitization. An attacker with cluster administrator privileges (or the ability to modify a must-gather archive) can inject arbitrary HTML and JavaScript into cluster objects using commands such as: oc patch clusterversion version --type merge -p '{"spec":{"channel":"stable-4.18<img src=x onerror=alert(1)>"}}'. When Pen Drive generates a report from this cluster data and another user (such as a support engineer or cluster administrator) opens the report in their browser, the injected JavaScript executes in their browser context. This can lead to session token theft, credential exfiltration, or manipulation of displayed content. The vulnerability was found during an internal pentest of Pen Drive version 0.1.3 and is reportedly fixed in version 1.0.0-2.