Bug 918784 (CVE-2013-1823) - CVE-2013-1823 Katello: Notifications page Username XSS
Summary: CVE-2013-1823 Katello: Notifications page Username XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-1823
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 909472 918786
Blocks: 918787
TreeView+ depends on / blocked
 
Reported: 2013-03-06 20:57 UTC by Kurt Seifried
Modified: 2023-05-12 15:17 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-26 20:19:49 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0686 0 normal SHIPPED_LIVE Moderate: Subscription Asset Manager 1.2.1 update 2013-03-26 23:16:44 UTC

Description Kurt Seifried 2013-03-06 20:57:46 UTC
Suresh Thiru (sthirugn) of Red Hat reports:

Description of problem:
In Notifications page, the Username should escape html characters

Steps to Reproduce:
1. Create a user named <blink>FOOO</blink>
2. Go to Notifications page and notice that FOOO is in blinking mode in the page
  
Actual results:
FOOO is in html blinking mode in the Notifications page

Expected results:
Username should be displayed fully in Notifications page: <blink>FOOO</blink>

Comment 2 Murray McAllister 2013-03-26 00:10:53 UTC
Acknowledgements:

This issue was discovered by Sureshkumar Thirugnanasambandan of the Red Hat Quality Engineering Team.

Comment 3 errata-xmlrpc 2013-03-26 19:19:56 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html


Note You need to log in before you can comment on or make changes to this bug.