oss-security - CVE-2016-6320: Foreman stored XSS in network interface device identifiers

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Wed, 24 Aug 2016 14:08:39 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-6320: Foreman stored XSS in network interface device
 identifiers

CVE-2016-6320: Foreman stored XSS in network interface device identifiers

Network interface identifiers stored for hosts may contain HTML or
JavaScript that allows a stored XSS (cross-site scripting) vulnerability
when later viewing the host edit form, which contains detail on each
stored network interface.

This issue was reported by Sanket Jagtap.

Affects Foreman 1.8.0 and higher
Fix released in Foreman 1.12.2

Patch:
https://github.com/theforeman/foreman/commit/53081ea14b30d66f0d67b62fe950a2c1463225f5

More information:
https://theforeman.org/security.html#2016-6320
http://projects.theforeman.org/issues/16022
https://theforeman.org

-- 
Dominic Cleal
dominic@...al.org








Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.