Bug 1311636 - graphite-web: Persistent XSS due to unsanitized path of graph target
graphite-web: Persistent XSS due to unsanitized path of graph target
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1311645 1311644
Blocks: 1311652
  Show dependency treegraph
Reported: 2016-02-24 11:22 EST by Adam Mariš
Modified: 2016-05-18 03:00 EDT (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-05-18 03:00:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-24 11:22:12 EST
A persistent XSS vulnerability in the target parameter was found. A malicious user could save javascript code in his graph and the javascript will be executed on any user that accessed this graph. It is not possible to steal the cookie because the httponly flag is present, but the attacker could do other malicious actions.

Upstream bug:


CVE request:

Comment 1 Adam Mariš 2016-02-24 11:35:03 EST
Created graphite-web tracking bugs for this issue:

Affects: fedora-all [bug 1311644]
Affects: epel-all [bug 1311645]

Note You need to log in before you can comment on or make changes to this bug.