Bug 910931 (CVE-2013-0283)

Summary: CVE-2013-0283 Katello: Username in Notification page XSS
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athomas, bkearney, cpelland, jrusnack, kseifried, mmccune, msuchy, sclewis, security-response-team, walden
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-17 05:33:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 995666    
Bug Blocks: 910963, 1000138    

Description Kurt Seifried 2013-02-13 22:00:27 UTC 
Suresh Thiru (sthirugn) reports:

Description of problem:
In Notifications page, the Username should escape html characters

Steps to Reproduce:
1. Create a user named <blink>FOOO</blink>
2. Go to Notifications page and notice that FOOO is in blinking mode in the page
  
Actual results:
FOOO is in html blinking mode in the Notifications page

Expected results:
Username should be displayed fully in Notifications page: <blink>FOOO</blink>

Additional info:
This was introduced with https://bugzilla.redhat.com/show_bug.cgi?id=813291
Comment 1 Kurt Seifried 2013-07-26 07:38:39 UTC 
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.