Bug 1187466 (CVE-2014-0141) - CVE-2014-0141 Satellite 6: environment name variable XSS
Summary: CVE-2014-0141 Satellite 6: environment name variable XSS
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-0141
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1187467
TreeView+ depends on / blocked
 
Reported: 2015-01-30 06:10 UTC by Kurt Seifried
Modified: 2019-09-29 13:27 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-07-04 06:02:19 UTC
Embargoed:


Attachments (Terms of Use)

Description Kurt Seifried 2015-01-30 06:10:20 UTC
Jan Hutař of Red Hat reports:

When I create environment with HTML (like '<script>alert("hello")</script>') 
in name is not escaped properly on some pages when printing it and so might 
mean XSS attack possibility.

Comment 2 Kurt Seifried 2015-07-04 06:02:19 UTC
This was actually fixed prior to GA:

Was reported on: Satellite-6.0.3-RHEL-6-20140313.0
GA release: Satellite-6.0.4-RHEL-6-20140908.0

So this only affected a beta version of Satellite 6. Closing this as CURRENTRELEASE.


Note You need to log in before you can comment on or make changes to this bug.