Bug 918784 (CVE-2013-1823)

Summary: CVE-2013-1823 Katello: Notifications page Username XSS
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adprice, bkearney, cpelland, mmccune, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 20:19:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 909472, 918786    
Bug Blocks: 918787    

Description Kurt Seifried 2013-03-06 20:57:46 UTC 
Suresh Thiru (sthirugn) of Red Hat reports:

Description of problem:
In Notifications page, the Username should escape html characters

Steps to Reproduce:
1. Create a user named <blink>FOOO</blink>
2. Go to Notifications page and notice that FOOO is in blinking mode in the page
  
Actual results:
FOOO is in html blinking mode in the Notifications page

Expected results:
Username should be displayed fully in Notifications page: <blink>FOOO</blink>
Comment 2 Murray McAllister 2013-03-26 00:10:53 UTC 
Acknowledgements:

This issue was discovered by Sureshkumar Thirugnanasambandan of the Red Hat Quality Engineering Team.
Comment 3 errata-xmlrpc 2013-03-26 19:19:56 UTC 
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html