Bug 1255168 (CVE-2015-5215) - CVE-2015-5215 ipsilon: XSS in multiple pages
Summary: CVE-2015-5215 ipsilon: XSS in multiple pages
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5215
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1255176 1255775
Blocks: 1255174
TreeView+ depends on / blocked
 
Reported: 2015-08-19 20:22 UTC by Kurt Seifried
Modified: 2023-05-12 21:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the Ipsilon IdP server used the default configuration of the Jinja templating engine, which did not HTML escape template variables. This could be exploited to perform an XSS attack if a value from untrusted input was used in the template and rendered in the user`s browser.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:46:55 UTC
Embargoed:


Attachments (Terms of Use)

Description Kurt Seifried 2015-08-19 20:22:05 UTC
Michael Scherer of Red Hat reports:

ipsilon does not escape HTML when processing templates.

Comment 1 Simo Sorce 2015-08-19 20:35:11 UTC
Can you please be a little biut more specific ?
As far as I know jinja2 escapes by default and I am not aware that we are using manual escaping anywhere.

Comment 2 Kurt Seifried 2015-08-19 20:35:55 UTC
Created ipsilon tracking bugs for this issue:

Affects: fedora-all [bug 1255176]

Comment 4 Simo Sorce 2015-08-19 20:43:31 UTC
Uhm re-reading jinja2 documentation 3 times I finally see they say the escaping is not enabled automatically now :-(

Comment 6 Ilya Etingof 2015-08-24 08:36:01 UTC
Acknowledgement:

This issue was discovered by Michael Scherer of Red Hat.

Comment 7 Ján Rusnačko 2015-08-24 08:44:41 UTC
Analysis:

It was found that Ipsilon used default configuration of Jinja templating engine, which did not html escape template variables. This could be exploited to perform XSS attack if a value from untrusted input was used in the template that is rendered to the user`s browser.


Note You need to log in before you can comment on or make changes to this bug.