Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1100313 - (CVE-2014-3491) CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security, Triaged
Depends On:
Blocks: 1130555
  Show dependency treegraph
Reported: 2014-05-22 09:56 EDT by Adam Saleh
Modified: 2015-01-29 21:41 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-01-29 21:41:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Saleh 2014-05-22 09:56:42 EDT
Description of problem:
possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
     Name: test<script>alert('HI')</script>
   Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list

Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)

Expected results:
Submit button should not execute javascript
Comment 3 Dominic Cleal 2014-05-22 10:43:33 EDT
Upstream embargoed bug opened at http://projects.theforeman.org/issues/5881.

This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources.  I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.

The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.
Comment 6 Kurt Seifried 2015-01-29 21:33:35 EST
This was fixed in versions Foreman 1.4.5 and 1.5.1 upstream.
Comment 7 Kurt Seifried 2015-01-29 21:41:46 EST
his issue has been addressed in the following products:

  Red Hat Satellite 6

Via the GA release of Satellite 6.

Note You need to log in before you can comment on or make changes to this bug.