CVE-2015-5282: XSS

First published: Thu Sep 17 2015(Updated: )

A vulnerability allowing XSS in Foreman 1.7.0 and higher was reported from upstream. It is allowed to store the key/value parameters globally or assigned to various objects and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box. Upstream bug: <a href="http://projects.theforeman.org/issues/11859">http://projects.theforeman.org/issues/11859</a>

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/references
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/author
• agent/remedy
• agent/last-modified-date
• agent/weakness
• agent/tags
• agent/event
• agent/description
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2015-5282
• agent/software-canonical-lookup
• vendor/theforeman
• canonical/theforeman foreman
• version/theforeman foreman/1.7.0
• version/theforeman foreman/1.7.1
• version/theforeman foreman/1.7.2
• version/theforeman foreman/1.7.3
• version/theforeman foreman/1.7.4
• version/theforeman foreman/1.7.5
• version/theforeman foreman/1.8.0
• version/theforeman foreman/1.8.1
• version/theforeman foreman/1.8.2
• version/theforeman foreman/1.8.3
• version/theforeman foreman/1.8.4
• version/theforeman foreman/1.9.0
• version/theforeman foreman/1.9.1
• version/theforeman foreman/1.9.2
• version/theforeman foreman/1.9.3
• version/theforeman foreman/1.10.0
• version/theforeman foreman/1.10.1
• version/theforeman foreman/1.10.2
• version/theforeman foreman/1.10.3
• version/theforeman foreman/1.10.4
• version/theforeman foreman/1.11.0
• version/theforeman foreman/1.11.1
• version/theforeman foreman/1.11.2
• version/theforeman foreman/1.11.3
• version/theforeman foreman/1.11.4
• version/theforeman foreman/1.12.0
• version/theforeman foreman/1.12.1
• version/theforeman foreman/1.12.2
• version/theforeman foreman/1.12.3
• version/theforeman foreman/1.12.4
• version/theforeman foreman/1.13.0
• version/theforeman foreman/1.13.1
• version/theforeman foreman/1.13.2
• version/theforeman foreman/1.13.3
• version/theforeman foreman/1.13.4
• version/theforeman foreman/1.14.0
• version/theforeman foreman/1.14.1
• version/theforeman foreman/1.14.2
• version/theforeman foreman/1.14.3
• version/theforeman foreman/1.15.0
• version/theforeman foreman/1.15.1
• version/theforeman foreman/1.15.2
• version/theforeman foreman/1.15.3
• version/theforeman foreman/1.15.4
• version/theforeman foreman/1.16.0
• package-manager/redhat