1144211 – (CVE-2014-3649) CVE-2014-3649 JBoss AeroGear: reflected XSS via password field of the login page

Bug 1144211 (CVE-2014-3649) - CVE-2014-3649 JBoss AeroGear: reflected XSS via password field of the login page

Summary: CVE-2014-3649 JBoss AeroGear: reflected XSS via password field of the login page

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-3649
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-19 02:59 UTC by Trevor Jay
Modified:	2021-02-17 06:12 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-07 00:43:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description Trevor Jay 2014-09-19 02:59:23 UTC

The password field accepts HTML content. When two-factor authentication is enabled, the password field is reflected back to the user when they are prompted for the "one-time-password" and it is rendered as HTML.

This vector can be used for a "drive-by" attack. By having a victim visit an attacker controlled page while logged in, the attacker can force them to issue a second login request containing a prepared password. When that password--containing a malicious payload--is reflected back to them as HTML, the attacker can gain control of the victim's session.

Comment 1 Arun Babu Neelicattu 2014-09-29 05:26:42 UTC

Upstream Issue:

https://issues.jboss.org/browse/AEROGEAR-1514

Comment 2 Trevor Jay 2014-09-29 05:45:03 UTC

Statement:

Not Vulnerable. Aerogear is not provided by any Red Hat product.

Note You need to log in before you can comment on or make changes to this bug.