Red Hat Bugzilla – Bug 1108241
CVE-2014-3492 Foreman: XSS from stored YAML
Last modified: 2015-01-29 21:41:56 EST
Users can create malicious YAML content (for example, a host parameter containg HTML content). When viewed with the foreman UI, the YAML preview feature will execute the HTML.
This issue was discovered by Dominic Cleal of Red Hat.
Upstream fix (in 1.4.5 and 1.5.1):
his issue has been addressed in the following products:
Red Hat Satellite 6
Via the GA release of Satellite 6.