Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Nov 2016 13:28:53 +0000
From: Dominic Cleal <>
Subject: CVE-2016-8634: Foreman stored XSS in orgs/locations wizard step

CVE-2016-8634: Foreman organization/location wizard may run stored XSS
in name

When creating an organization or location in Foreman, if the name
contains HTML then the second step of the wizard will render the HTML.
This occurs in the alert box on the page.

This may permit a stored XSS attack if an organization/location with
HTML in the name is created, then a user is linked directly to this URL.

Mitigation: restrict permissions to organization and location creation,
don't follow untrusted links to Foreman.

This issue was reported by Sanket Jagtap.

Affects Foreman 1.1 and higher
Fix due to be released in Foreman 1.14.0


More information:

Dominic Cleal

Download attachment "signature.asc" of type "application/pgp-signature" (210 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.