Bug 1187466 (CVE-2014-0141) - CVE-2014-0141 Satellite 6: environment name variable XSS
Summary: CVE-2014-0141 Satellite 6: environment name variable XSS
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-0141
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150129,repor...
Keywords: Security
Depends On:
Blocks: 1187467
TreeView+ depends on / blocked
 
Reported: 2015-01-30 06:10 UTC by Kurt Seifried
Modified: 2019-06-08 20:24 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-07-04 06:02:19 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2015-01-30 06:10:20 UTC
Jan Hutař of Red Hat reports:

When I create environment with HTML (like '<script>alert("hello")</script>') 
in name is not escaped properly on some pages when printing it and so might 
mean XSS attack possibility.

Comment 2 Kurt Seifried 2015-07-04 06:02:19 UTC
This was actually fixed prior to GA:

Was reported on: Satellite-6.0.3-RHEL-6-20140313.0
GA release: Satellite-6.0.4-RHEL-6-20140908.0

So this only affected a beta version of Satellite 6. Closing this as CURRENTRELEASE.


Note You need to log in before you can comment on or make changes to this bug.