A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed log files. By sending a specially crafted request to Satellite, a remote attacker could embed HTML content into the log file, allowing them to inject malicious content into the web page that is used to view that log file.
Created attachment 928042 [details]
Created attachment 928043 [details]
This issue has been re-opened.
Red Hat would like to thank Ron Bowes of Google for reporting this issue.
This issue has been addressed in the following products:
Red Hat Network Satellite Server v 5.4
Red Hat Network Satellite Server v 5.5
Red Hat Satellite Server v 5.6
Via RHSA-2014:1184 https://rhn.redhat.com/errata/RHSA-2014-1184.html