It was found that jQuery-UI, a library for manipulating UI elements via jQuery, has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If an application passes user input to this parameter, it may be vulnerable to XSS. Upstream patch: https://github.com/jquery/jquery-ui/pull/1622 External References: https://nodesecurity.io/advisories/127
Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: fedora-all [bug 1360289] Affects: epel-7 [bug 1360291]
Created rubygem-jquery-ui-rails tracking bugs for this issue: Affects: fedora-all [bug 1360290]
I have downgraded the impact to low as its unlikely that a user controlled variable would be passed to the dialog box close field
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2016:2933 https://rhn.redhat.com/errata/RHSA-2016-2933.html
This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2016:2932 https://rhn.redhat.com/errata/RHSA-2016-2932.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2017:0161 https://rhn.redhat.com/errata/RHSA-2017-0161.html
Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: openstack-rdo [bug 1438800] Created rubygem-jquery-ui-rails tracking bugs for this issue: Affects: openstack-rdo [bug 1438799]
> can we get a tracker for RDO as it is impacted and was missed when this was created. Hi Jon, I've added tracking bugs for both the affected python and ruby libraries in RDO
Statement: Red Hat Enterprise Satellite 5 is now in phase 3 of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.