Bug 1542165 (CVE-2018-1000095) - CVE-2018-1000095 ovirt-engine: stored XSS in snapshot description and comment
Summary: CVE-2018-1000095 ovirt-engine: stored XSS in snapshot description and comment
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-1000095
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1542168
TreeView+ depends on / blocked
 
Reported: 2018-02-05 18:13 UTC by Pedro Sampaio
Modified: 2021-02-17 00:51 UTC (History)
14 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:39:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2018-02-05 18:13:42 UTC 
A stored XSS was found in  ovirt-engine 4.2.1.1 in the snapshot's description and comment.
Comment 1 Allon Mureinik 2018-02-06 15:56:46 UTC 
Hi Pedro,

I'm the engineering manager of the RHV Storage team, which should probably take ownership of this BZ.
There's not to much to go on here (I'm guessing it's something like "create a snapshot with a description that contains javascript").
Can you provide more formal steps? Or perhaps they are in the blocked bug I don't have access to - could you add me as a CC there?

Thanks!

P.S.
Adding the "Regression" keyword. This issue was reproduced with the above steps in 4.2, but not in the latest 4.1.z.
Comment 2 Doran Moppert 2018-02-07 02:52:48 UTC 
(In reply to Allon Mureinik from comment #1)
> I'm the engineering manager of the RHV Storage team, which should probably
> take ownership of this BZ.
> There's not to much to go on here (I'm guessing it's something like "create
> a snapshot with a description that contains javascript").
> Can you provide more formal steps? Or perhaps they are in the blocked bug I
> don't have access to - could you add me as a CC there?

Hi Allon,

The details are recorded in product bug 1540925, which awels@ owns.  It seems the issue is not specific to Storage but affects various fields in Ovirt front-end.
Comment 3 Allon Mureinik 2018-02-07 08:00:58 UTC 
(In reply to Doran Moppert from comment #2)
> (In reply to Allon Mureinik from comment #1)
> > I'm the engineering manager of the RHV Storage team, which should probably
> > take ownership of this BZ.
> > There's not to much to go on here (I'm guessing it's something like "create
> > a snapshot with a description that contains javascript").
> > Can you provide more formal steps? Or perhaps they are in the blocked bug I
> > don't have access to - could you add me as a CC there?
> 
> Hi Allon,
> 
> The details are recorded in product bug 1540925, which awels@ owns.  It
> seems the issue is not specific to Storage but affects various fields in
> Ovirt front-end.

Thanks Doran.
I was alerted to this issue when Yaniv Kaul added me to the CC list. Looking through bug 1540925 it seems that Alexander has things under control. Alexander/Doran/Pedro - If you need anything from my side, just let me know.
Comment 5 Doran Moppert 2018-02-08 02:11:18 UTC 
Acknowledgments:

Name: Han Han (Red Hat)
Comment 6 Doran Moppert 2018-02-08 02:11:24 UTC 
External References:

https://gerrit.ovirt.org/#/c/87265
Note You need to log in before you can comment on or make changes to this bug.