Bug 1181472 (CVE-2015-0284) - CVE-2015-0284 Red Hat Satellite: stored XSS in user details fields (incomplete fix for CVE-2014-7811)
Summary: CVE-2015-0284 Red Hat Satellite: stored XSS in user details fields (incomplet...
Alias: CVE-2015-0284
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: CVE-2016-2144 (view as bug list)
Depends On: 1181152 1314906
Blocks: 1181470 1305684
TreeView+ depends on / blocked
Reported: 2015-01-13 09:26 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:49 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A cross-site scripting (XSS) flaw was found in how XML data was handled in Red Hat Satellite. A user able to use the XMLRPC API could exploit this flaw to perform XSS attacks against other Satellite users.
Clone Of:
Last Closed: 2016-04-04 17:02:25 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0590 0 normal SHIPPED_LIVE Moderate: spacewalk-java security update 2016-04-04 19:35:36 UTC

Description Vasyl Kaigorodov 2015-01-13 09:26:29 UTC
Jan Hutař reports:

There is stored XSS vulnerability in user details field in Satellite server, they can be exploited by using the XMLRPC API to send XML data containing malformed data.

Comment 3 Kurt Seifried 2016-03-08 16:34:09 UTC
*** Bug 1315398 has been marked as a duplicate of this bug. ***

Comment 4 Kurt Seifried 2016-03-08 16:37:14 UTC
External reference:
spacewalk git dd418384171473c3e31386a1b4792f8c555dc744
spacewalk git f3792c79c1c251a49cc4e382be8591636326a794

Comment 5 Kurt Seifried 2016-03-17 16:25:45 UTC

Name: Jan Hutař (Red Hat)

Comment 6 errata-xmlrpc 2016-04-04 15:36:39 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.7

Via RHSA-2016:0590 https://rhn.redhat.com/errata/RHSA-2016-0590.html

Note You need to log in before you can comment on or make changes to this bug.