Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 11 Nov 2016 12:56:55 +0000
From: Dominic Cleal <>
Subject: CVE-2016-8639: Foreman stored XSS in orgs/locations in settings

CVE-2016-8639: Foreman settings dropdown menus may run stored XSS in
organization/location name

If an organization or location is created with a name containing HTML,
then the administrator-only Settings page will render the HTML as part
of a dropdown menu.

This may permit a stored XSS attack if an organization/location with
HTML in the name is created, then an administrator attempts to change
the default organization/location settings.

Mitigation: restrict permissions to organization and location creation,
use the API or CLI instead to change the default organization/location

Note: this CVE identifier has been assigned retrospectively, to describe
a vulnerability that was fixed during a refactoring of the affected code.

This issue was reported by Sanket Jagtap.

Affects Foreman 1.11.0 to 1.12.4
Fix released in Foreman 1.13.0

Patch (a refactoring):

More information:

Dominic Cleal

Download attachment "signature.asc" of type "application/pgp-signature" (210 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ