Bug 1285728 (CVE-2015-7518) - CVE-2015-7518 foreman: Stored XSS vulnerability in smart class parameters/variables
Summary: CVE-2015-7518 foreman: Stored XSS vulnerability in smart class parameters/var...
Alias: CVE-2015-7518
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1297040
Blocks: 1285735
TreeView+ depends on / blocked
Reported: 2015-11-26 10:56 UTC by Adam Mariš
Modified: 2019-09-29 13:40 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A stored cross-site scripting (XSS) flaw was found in the smart class parameters/variables field. By sending a specially crafted request to Satellite, a remote, authenticated attacker could embed HTML content into the stored data, allowing them to inject malicious content into the web page that is used to view that data.
Clone Of:
Last Closed: 2016-02-15 18:05:08 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0174 0 normal SHIPPED_LIVE Moderate: Satellite 6.1.7 security, bug and enhancement fix update 2016-02-15 20:50:32 UTC

Description Adam Mariš 2015-11-26 10:56:25 UTC
A stored XSS vulnerability was found in smart class parameters and variables that are displayed on the edit pages for hosts and groups. The values for fields can be set by any userwith granted permission to edit those parameters or variables. These fields can store any value which is shown unescaped on the edit pages, leading to a stored XSS vulnerability.

Upstream bug:


Comment 1 Adam Mariš 2015-12-10 14:42:54 UTC
Upstream patch:


Comment 3 errata-xmlrpc 2016-02-15 15:52:10 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.1

Via RHSA-2016:0174 https://access.redhat.com/errata/RHSA-2016:0174

Note You need to log in before you can comment on or make changes to this bug.