Bug 805712 (CVE-2012-1575) - CVE-2012-1575 cumin: multiple XSS flaws
Summary: CVE-2012-1575 cumin: multiple XSS flaws
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-1575
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 438142 807763 812066
Blocks: 805721
TreeView+ depends on / blocked
 
Reported: 2012-03-21 21:18 UTC by Vincent Danen
Modified: 2019-09-29 12:51 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-12 16:56:47 UTC
Embargoed:

Attachments (Terms of Use)
Technical write up on vulnerabilities, fixes, and testing (65.31 KB, application/pdf)
2012-03-22 12:39 UTC, Trevor McKay 		no flags Details
Quota config, referenced from the pdf (198 bytes, application/octet-stream)
2012-03-22 12:40 UTC, Trevor McKay 		no flags Details
Aviary submit script, referenced from the pdf (2.63 KB, text/x-python)
2012-03-22 12:41 UTC, Trevor McKay 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0476 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Management Console security update 2012-04-12 20:35:25 UTC
Red Hat Product Errata RHSA-2012:0477 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Management Console security update 2012-04-12 20:35:19 UTC

Description Vincent Danen 2012-03-21 21:18:32 UTC 
A number of XSS flaws were reported in Cumin.  These flaws could be used by a remote attacker to inject arbitrary web script on a web page displayed by Cumin.

To solve the problem, xml_escape() (as defined in wooly/python/wooly/util.py, a simple wrapper around xml.sax.saxutils.escape()) is called on any values that are displayed on a web page and originate outside of Cumin, or through a form submitted by a user.  Many of these have been corrected upstream in r5238 [1].

[1] https://fedorahosted.org/pipermail/cumin-developers/2012-March/000796.html
Comment 1 Trevor McKay 2012-03-22 12:39:48 UTC 
Created attachment 571986 [details]
Technical write up on vulnerabilities, fixes, and testing

Slightly different than the original version, but only because I changed the integers used in alert scripts to be unique so that when they are run it is unambiguous which one is displaying.  This might be helpful when testing Cumin for the presences of errors.
Comment 2 Trevor McKay 2012-03-22 12:40:51 UTC 
Created attachment 571987 [details]
Quota config, referenced from the pdf
Comment 3 Trevor McKay 2012-03-22 12:41:54 UTC 
Created attachment 571988 [details]
Aviary submit script, referenced from the pdf
Comment 4 errata-xmlrpc 2012-04-12 16:39:36 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0477 https://rhn.redhat.com/errata/RHSA-2012-0477.html
Comment 5 errata-xmlrpc 2012-04-12 16:39:54 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2012:0476 https://rhn.redhat.com/errata/RHSA-2012-0476.html
Comment 6 Vincent Danen 2012-04-12 16:54:18 UTC 
Created cumin tracking bugs for this issue

Affects: fedora-all [bug 812066]
Comment 7 Vincent Danen 2013-02-15 17:12:12 UTC 
Current Fedora ships cumin-0.1.5522 which is based on upstream svn r5522 and includes this fix.
Note You need to log in before you can comment on or make changes to this bug.