1187466 – (CVE-2014-0141) CVE-2014-0141 Satellite 6: environment name variable XSS

Bug 1187466 (CVE-2014-0141) - CVE-2014-0141 Satellite 6: environment name variable XSS

Summary: CVE-2014-0141 Satellite 6: environment name variable XSS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2014-0141
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1187467
TreeView+	depends on / blocked

Reported:	2015-01-30 06:10 UTC by Kurt Seifried
Modified:	2019-09-29 13:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-07-04 06:02:19 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2015-01-30 06:10:20 UTC

Jan Hutař of Red Hat reports:

When I create environment with HTML (like '<script>alert("hello")</script>') 
in name is not escaped properly on some pages when printing it and so might 
mean XSS attack possibility.

Comment 2 Kurt Seifried 2015-07-04 06:02:19 UTC

This was actually fixed prior to GA:

Was reported on: Satellite-6.0.3-RHEL-6-20140313.0
GA release: Satellite-6.0.4-RHEL-6-20140908.0

So this only affected a beta version of Satellite 6. Closing this as CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.