Bug 2487107 (CVE-2026-53473) - CVE-2026-53473 migration-planner-ui-app: Stored XSS via javascript: URL in Agent Credential Link
Summary: CVE-2026-53473 migration-planner-ui-app: Stored XSS via javascript: URL in Ag...
Keywords:
Status: NEW
Alias: CVE-2026-53473
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 18:02 UTC by OSIDB Bzimport
Modified: 2026-06-10 13:53 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 18:02:47 UTC 
Repository: migration-planner-ui-app  
Priority: High  
Location: src/ui/environment/views/AgentStatusView.tsx:50 (also CreateFromOva.tsx:196, Environment.tsx:131)

Description:  
Discovery agents self-report credentialUrl when registering. The UI renders this string as react-router-dom <Link to=> prop and plain <a href> with no scheme validation. react-router-dom 6.30.3 passes absolute-scheme URLs to DOM <a href>, and React 18.3.1 only warns in dev mode about javascript: - production builds render verbatim. Users are instructed to click the link to reach the discovery VM.

Security Impact:  

Attacker registers agent with credentialUrl: "javascript:..." 

Stored payload executes in http://console.redhat.com  origin when any org user clicks link

Yields victim's RH SSO session, enabling cross-tenant data access and API actions as victim

Persistent compromise within organization

Fix Suggestion:  
Introduce safeExternalUrl() helper that parses URL and returns only if protocol is http: or https:. Gate all three render sites so non-http(s) credentialUrl doesn't render as link. See patches/f101.patch.
Note You need to log in before you can comment on or make changes to this bug.