Bug 1100313 (CVE-2014-3491) - CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
Summary: CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
Alias: CVE-2014-3491
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://projects.theforeman.org/issues...
Depends On:
Blocks: 1130555
TreeView+ depends on / blocked
Reported: 2014-05-22 13:56 UTC by Adam Saleh
Modified: 2021-02-17 06:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-30 02:41:46 UTC

Attachments (Terms of Use)

Description Adam Saleh 2014-05-22 13:56:42 UTC
Description of problem:
possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
     Name: test<script>alert('HI')</script>
   Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list

Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)

Expected results:
Submit button should not execute javascript

Comment 3 Dominic Cleal 2014-05-22 14:43:33 UTC
Upstream embargoed bug opened at http://projects.theforeman.org/issues/5881.

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources.  I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.

Comment 6 Kurt Seifried 2015-01-30 02:33:35 UTC
This was fixed in versions Foreman 1.4.5 and 1.5.1 upstream.

Comment 7 Kurt Seifried 2015-01-30 02:41:46 UTC
his issue has been addressed in the following products:

  Red Hat Satellite 6

Via the GA release of Satellite 6.

Note You need to log in before you can comment on or make changes to this bug.