Bug 1463300 - (CVE-2017-7535) CVE-2017-7535 foreman: XSS in the manage organization page
CVE-2017-7535 foreman: XSS in the manage organization page
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170712,repor...
: Security
Depends On: 1469898
Blocks: 1463302
  Show dependency treegraph
 
Reported: 2017-06-20 10:21 EDT by Andrej Nemec
Modified: 2017-10-10 04:56 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-06-20 10:21:21 EDT
A cross-site scripting vulnerability was found in foreman in the manage organization page.
Comment 1 Andrej Nemec 2017-06-20 10:21:28 EDT
Acknowledgments:

Name: Sanket Jagtap (Red Hat)
Comment 3 Bryan Kearney 2017-08-17 11:40:17 EDT
Do you have a link to an upstream issue? I checked with upstream and they are not aware of this CVE.
Comment 4 Andrej Nemec 2017-08-21 04:20:33 EDT
(In reply to Bryan Kearney from comment #3)
> Do you have a link to an upstream issue? I checked with upstream and they
> are not aware of this CVE.

I assumed that the reported let the upstream know as always. Do you still want me to let them know, or is this resolved for now?
Comment 5 Bryan Kearney 2017-08-21 07:09:16 EDT
Sanket, do you know what the upstream issue is for this bug?
Comment 6 Sanket Jagtap 2017-09-15 01:12:05 EDT
I have not yet tested this with upstream. So, didn't yet report it in upstream, but yes will let them know about this issue.
Comment 7 Andrej Nemec 2017-09-19 04:14:47 EDT
Upstream issue:

http://projects.theforeman.org/issues/20963
Comment 8 Andrej Nemec 2017-10-10 04:56:18 EDT
References:

http://seclists.org/oss-sec/2017/q3/521

Note You need to log in before you can comment on or make changes to this bug.