'[oss-security] CVE-2016-6319: Foreman stored XSS in form label helpers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2016-6319: Foreman stored XSS in form label helpers
From:       Dominic Cleal <dominic () cleal ! org>
Date:       2016-08-24 13:07:01
Message-ID: 57BD9BF5.2040501 () cleal ! org
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


CVE-2016-6319: Foreman stored XSS in form label helpers

The "label" parameter of all form helpers used to construct web UI
components was not escaped allowing XSS (cross-site scripting). The
Foreman itself did not contain exploitable code but other plugins that
relied on these form helpers could be vulnerable. One known vulnerable
plugin is Remote Execution. All versions of this plugin are affected.

Affects Foreman 1.6.0 and higher
Fix released in Foreman 1.12.2

Patch:
https://github.com/theforeman/foreman/commit/0f35fe14acf0d0d3b55e9337bc5e2b9640ff2372

More information:
https://theforeman.org/security.html#2016-6319
http://projects.theforeman.org/issues/16024
https://theforeman.org

-- 
Dominic Cleal
dominic@cleal.org





["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic