Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 11 Nov 2016 12:56:55 +0000
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-8639: Foreman stored XSS in orgs/locations in settings

CVE-2016-8639: Foreman settings dropdown menus may run stored XSS in
organization/location name

If an organization or location is created with a name containing HTML,
then the administrator-only Settings page will render the HTML as part
of a dropdown menu.

This may permit a stored XSS attack if an organization/location with
HTML in the name is created, then an administrator attempts to change
the default organization/location settings.

Mitigation: restrict permissions to organization and location creation,
use the API or CLI instead to change the default organization/location
settings.

Note: this CVE identifier has been assigned retrospectively, to describe
a vulnerability that was fixed during a refactoring of the affected code.

This issue was reported by Sanket Jagtap.

Affects Foreman 1.11.0 to 1.12.4
Fix released in Foreman 1.13.0

Patch (a refactoring):
https://github.com/theforeman/foreman/commit/d163507797c5d9c20249aa4d858465cbb74be229

More information:
https://theforeman.org/security.html#2016-8639
http://projects.theforeman.org/issues/15037
https://theforeman.org

-- 
Dominic Cleal
dominic@...al.org




Download attachment "signature.asc" of type "application/pgp-signature" (210 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ