Bug 918784 - (CVE-2013-1823) CVE-2013-1823 Katello: Notifications page Username XSS
CVE-2013-1823 Katello: Notifications page Username XSS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 909472 918786
Blocks: 918787
  Show dependency treegraph
Reported: 2013-03-06 15:57 EST by Kurt Seifried
Modified: 2016-03-04 07:19 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-26 16:19:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-03-06 15:57:46 EST
Suresh Thiru (sthirugn@redhat.com) of Red Hat reports:

Description of problem:
In Notifications page, the Username should escape html characters

Steps to Reproduce:
1. Create a user named <blink>FOOO</blink>
2. Go to Notifications page and notice that FOOO is in blinking mode in the page
Actual results:
FOOO is in html blinking mode in the Notifications page

Expected results:
Username should be displayed fully in Notifications page: <blink>FOOO</blink>
Comment 2 Murray McAllister 2013-03-25 20:10:53 EDT

This issue was discovered by Sureshkumar Thirugnanasambandan of the Red Hat Quality Engineering Team.
Comment 3 errata-xmlrpc 2013-03-26 15:19:56 EDT
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html

Note You need to log in before you can comment on or make changes to this bug.