Red Hat Bugzilla – Bug 1100313
CVE-2014-3491 foreman: XSS in Configure -> Host groups key name
Last modified: 2015-01-29 21:41:46 EST
Description of problem:
possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list
Upstream embargoed bug opened at http://projects.theforeman.org/issues/5881.
This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.
The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.
This was fixed in versions Foreman 1.4.5 and 1.5.1 upstream.
his issue has been addressed in the following products:
Red Hat Satellite 6
Via the GA release of Satellite 6.