Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1542165 - (CVE-2018-1000095) CVE-2018-1000095 ovirt-engine: stored XSS in snapshot description and comment
CVE-2018-1000095 ovirt-engine: stored XSS in snapshot description and comment
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180312,repor...
: Regression, Security
Depends On:
Blocks: 1542168
  Show dependency treegraph
 
Reported: 2018-02-05 13:13 EST by Pedro Sampaio
Modified: 2018-07-18 11:46 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A stored XSS vulnerability was discovered in ovirt-engine 4.2. Sanitation of HTML elements was not applied correctly to all fields, shows in the management console. An attacker with VM Admin permissions could use this vulnerability to launch XSS attacks against other VM or Cluster administrators.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Pedro Sampaio 2018-02-05 13:13:42 EST 
A stored XSS was found in  ovirt-engine 4.2.1.1 in the snapshot's description and comment.
Comment 1 Allon Mureinik 2018-02-06 10:56:46 EST 
Hi Pedro,

I'm the engineering manager of the RHV Storage team, which should probably take ownership of this BZ.
There's not to much to go on here (I'm guessing it's something like "create a snapshot with a description that contains javascript").
Can you provide more formal steps? Or perhaps they are in the blocked bug I don't have access to - could you add me as a CC there?

Thanks!

P.S.
Adding the "Regression" keyword. This issue was reproduced with the above steps in 4.2, but not in the latest 4.1.z.
Comment 2 Doran Moppert 2018-02-06 21:52:48 EST 
(In reply to Allon Mureinik from comment #1)
> I'm the engineering manager of the RHV Storage team, which should probably
> take ownership of this BZ.
> There's not to much to go on here (I'm guessing it's something like "create
> a snapshot with a description that contains javascript").
> Can you provide more formal steps? Or perhaps they are in the blocked bug I
> don't have access to - could you add me as a CC there?

Hi Allon,

The details are recorded in product bug 1540925, which awels@ owns.  It seems the issue is not specific to Storage but affects various fields in Ovirt front-end.
Comment 3 Allon Mureinik 2018-02-07 03:00:58 EST 
(In reply to Doran Moppert from comment #2)
> (In reply to Allon Mureinik from comment #1)
> > I'm the engineering manager of the RHV Storage team, which should probably
> > take ownership of this BZ.
> > There's not to much to go on here (I'm guessing it's something like "create
> > a snapshot with a description that contains javascript").
> > Can you provide more formal steps? Or perhaps they are in the blocked bug I
> > don't have access to - could you add me as a CC there?
> 
> Hi Allon,
> 
> The details are recorded in product bug 1540925, which awels@ owns.  It
> seems the issue is not specific to Storage but affects various fields in
> Ovirt front-end.

Thanks Doran.
I was alerted to this issue when Yaniv Kaul added me to the CC list. Looking through bug 1540925 it seems that Alexander has things under control. Alexander/Doran/Pedro - If you need anything from my side, just let me know.
Comment 5 Doran Moppert 2018-02-07 21:11:18 EST 
Acknowledgments:

Name: Han Han (Red Hat)
Comment 6 Doran Moppert 2018-02-07 21:11:24 EST 
External References:

https://gerrit.ovirt.org/#/c/87265
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.