Ales, can you confirm Sat 5.7 behaves the same?
Yes, it is same on Sat 5.7.
Jiri, cannot the fix be handled in the jsp?
(In reply to Tomas Lestach from comment #4)
> Jiri, cannot the fix be handled in the jsp?
Yeah, this can't be handled by limiting the org-name - people put all kinds of things there. The way we fix XSS in the app, is to make sure everything that shows up in the UI is escaped. Just using <c:out> is enough, it defaults to escapeXml=
Does this need admin access to exploit? I assume setting the org name is restricted.
This restricts to the Satellite Administrator role. An Organization Admin cannot change organization name (neither via WebUI, nor via API).
Reverted previous commit by 5f86c30d53f6303d245fe94ba2d2b230cb3be14b
CVE assigned and flaw bug created and linked from here, looks like we
ll fix in sat 5.8 correct?
Re-verified with spacewalk-java-2.5.14-95.
Checked for all the URLs mentioned here and Channels -> Software Channels -> *
Note: You must set org name using API, if you use WebUI, the "<>" characters are removed before being saved to the database. (Creating another BZ about this inconsistency.)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.