Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2016 14:07:01 +0100
From: Dominic Cleal <>
Subject: CVE-2016-6319: Foreman stored XSS in form label helpers

CVE-2016-6319: Foreman stored XSS in form label helpers

The "label" parameter of all form helpers used to construct web UI
components was not escaped allowing XSS (cross-site scripting). The
Foreman itself did not contain exploitable code but other plugins that
relied on these form helpers could be vulnerable. One known vulnerable
plugin is Remote Execution. All versions of this plugin are affected.

Affects Foreman 1.6.0 and higher
Fix released in Foreman 1.12.2


More information:

Dominic Cleal

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.