Red Hat Bugzilla – Bug 1264221
CVE-2015-5282 foreman: XSS in hidden parameter value switcher
Last modified: 2016-04-26 19:06:46 EDT
A vulnerability allowing XSS in Foreman 1.7.0 and higher was reported from upstream. It is allowed to store the key/value parameters globally or assigned to various objects and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.
This issue affects the versions of foreman as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.