Date: Fri, 11 Nov 2016 12:56:55 +0000 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-8639: Foreman stored XSS in orgs/locations in settings CVE-2016-8639: Foreman settings dropdown menus may run stored XSS in organization/location name If an organization or location is created with a name containing HTML, then the administrator-only Settings page will render the HTML as part of a dropdown menu. This may permit a stored XSS attack if an organization/location with HTML in the name is created, then an administrator attempts to change the default organization/location settings. Mitigation: restrict permissions to organization and location creation, use the API or CLI instead to change the default organization/location settings. Note: this CVE identifier has been assigned retrospectively, to describe a vulnerability that was fixed during a refactoring of the affected code. This issue was reported by Sanket Jagtap. Affects Foreman 1.11.0 to 1.12.4 Fix released in Foreman 1.13.0 Patch (a refactoring): https://github.com/theforeman/foreman/commit/d163507797c5d9c20249aa4d858465cbb74be229 More information: https://theforeman.org/security.html#2016-8639 http://projects.theforeman.org/issues/15037 https://theforeman.org -- Dominic Cleal dominic@...al.org [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ