Description of problem: possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted Version-Release number of selected component (if applicable): Satellite-6.0.3-RHEL-6-20140520.2 How reproducible: always Steps to Reproduce: 1. In webUI go to Configure -> Host groups -> New Host groups 2. Fill in this: Name: test<script>alert('HI')</script> Click "Submit" to create the hostgroup 3. Note that parameter name is correctly escaped in the parameters list Actual results: Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed) Expected results: Submit button should not execute javascript
Upstream embargoed bug opened at http://projects.theforeman.org/issues/5881. This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves. The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.
Upstream fix: http://projects.theforeman.org/projects/foreman/repository/revisions/983075c0c0e95c0d4715591325e88c90c7f09d71 External References: http://theforeman.org/security.html#2014-3491
This was fixed in versions Foreman 1.4.5 and 1.5.1 upstream.
his issue has been addressed in the following products: Red Hat Satellite 6 Via the GA release of Satellite 6.