Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2016 14:08:39 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-6320: Foreman stored XSS in network interface device
 identifiers

CVE-2016-6320: Foreman stored XSS in network interface device identifiers

Network interface identifiers stored for hosts may contain HTML or
JavaScript that allows a stored XSS (cross-site scripting) vulnerability
when later viewing the host edit form, which contains detail on each
stored network interface.

This issue was reported by Sanket Jagtap.

Affects Foreman 1.8.0 and higher
Fix released in Foreman 1.12.2

Patch:
https://github.com/theforeman/foreman/commit/53081ea14b30d66f0d67b62fe950a2c1463225f5

More information:
https://theforeman.org/security.html#2016-6320
http://projects.theforeman.org/issues/16022
https://theforeman.org

-- 
Dominic Cleal
dominic@...al.org








[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ