1811998 – (CVE-2019-3686) CVE-2019-3686 openqa: XSS in the distri and version parameter leeds to remote code execution

Bug 1811998 (CVE-2019-3686) - CVE-2019-3686 openqa: XSS in the distri and version parameter leeds to remote code execution

Summary: CVE-2019-3686 openqa: XSS in the distri and version parameter leeds to remote...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2019-3686
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1811999
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-10 11:14 UTC by Michael Kaplan
Modified:	2020-03-10 15:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-03-10 15:10:31 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2020-03-10 11:14:46 UTC

There is an XSS in openqa in the distri and version parameter which could leed to a remote code execution and information leak.

Comment 1 Michael Kaplan 2020-03-10 11:15:03 UTC

Created openqa tracking bugs for this issue:

Affects: fedora-all [bug 1811999]

Comment 2 Michael Kaplan 2020-03-10 11:15:42 UTC

Suse Reference:

https://bugzilla.suse.com/show_bug.cgi?id=1142849

Comment 3 Adam Williamson 2020-03-10 15:10:31 UTC

Thanks, but I fixed this six months ago :)

https://bugzilla.suse.com/show_bug.cgi?id=1142849#c3

All stable releases are on upstream snapshots with the fix for this (and for a similar issue in comments that was fixed shortly afterwards) already included - yes, even F30, which is a bit behind the other branches, it's on an early August snapshot from shortly after the fix for this landed. before that I had it backported (it was https://github.com/os-autoinst/openQA/pull/2213 ).

Note You need to log in before you can comment on or make changes to this bug.