Since version 0.9.8, Guacamole has provided access to files via a file browser located in the Guacamole menu. If file transfer is enabled on a remote desktop connection, this file browser displays a navigable hierarchy of files to which the user has access. A cross-site scripting (XSS) vulnerability was discovered and reported by Niv Levy through which files with specially-crafted names could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users. External References: https://sourceforge.net/p/guacamole/news/2016/02/security-advisory---stored-xss-cve-2016-1566--guac-1465/
Created guacamole tracking bugs for this issue: Affects: epel-6 [bug 1418776] Affects: epel-7 [bug 1418777] Affects: fedora-all [bug 1418775]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.