Bug 963568 (CVE-2013-2101)
Summary: | CVE-2013-2101 Katello: Multiple XSS in various entities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adprice, athomas, bkearney, cpelland, ehelms, jrusnack, kseifried, mmccune, msuchy, sclewis, security-response-team, walden |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-01-17 05:34:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 963569, 963572, 995657 | ||
Bug Blocks: | 963573, 1000138 |
Description
Kurt Seifried
2013-05-16 07:33:38 UTC
There have been several fixes (outlined below) in this area. The majority of the entities (system_group_packages, system_group_errata, promotions, repositories, changesets, distributors, content_views) are not in SAM. I vote we CLOSE/WONFIX this. commit e0eb37f7bbf9794587f959803f4e6f5f4ec070c7 Author: Adam Price <komidore64> Date: Wed Aug 28 17:26:37 2013 -0400 1001173 - User notification message should escape html characters from custom info (cherry picked from commit ddb90f4666e86c8d80cf899eef88e41bbafed524) added to the bug. This was added in 1.4.3-12 commit c38ed1e5e9c9914af463692692a51a8c0b8bb494 Author: Adam Price <komidore64> Date: Wed Jul 24 17:58:53 2013 -0400 987909 - Org names rendered as HTML making sure ORG name is escaped if it has HTML characters in its name. this includes changes to jeditable's default text.content function and a quick substitution of characters in displayed notices which was added in katello-1.4.3-1 commit 40e586f4f93a785166fac9590fbf1ff6723a0cc5 Author: Adam Price <komidore64> Date: Wed Jul 17 11:26:48 2013 -0400 982196 - UI editing description override jeditable's textarea 'content' function to not escape text with <, > which was added in katello-1.4.3-1 |