Description of problem: There is a possible XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave. Version-Release number of selected component (if applicable): spacewalk-java-2.3.8-134.el6sat.noarch How reproducible: always Steps to Reproduce: 1. Use SSM to create group: Systems -> System Set Manager -> Groups -> Create Group Name: '"><script>alert()</script>' Description: whatever OR use API to create such a group: client.systemgroup.create(key, 'bz"><script>alert("created name")</script>', 'bz"><script>alert("created desc")</script>') 2. Choose system and make sure it have Provisioning add-on entitlement 3. Systems -> <system> -> Groups -> Join -> select group you have created in step "1." 4. Systems -> <system> -> Provisioning -> Snapshots -> <newest_one> -> Groups 5. Ensure you see that group from step "1." there. If you are not, find the snapshot where you can see it (if you made more actions with the system, this might not be trivial :-)) Actual results: If you are in correct snapshot (see step "5."), JavaScript alert appears. Expected results: Group name is properly escaped. Additional info: Found when working on bug 1320452.
CVE is public, this BZ should be as well spacewalk.github: 23f46724d31c476f16fb1a8fe3ee113460640f43
Reproduced on spacewalk-java-2.3.8-142.el6sat using the reproducer from the initial report. JavaScript alert got executed as described, groups were created both by WebUI and API with the same result. Updated to spacewalk-java-2.3.8-144.el6sat, group names in snapshots are displayed correctly, JavaScript is not executed. VERIFIED
Re-verified with spacewalk-java-2.3.8-147 as described in the comment #4.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-1484.html