CVE-2016-8639: Foreman stored XSS in orgs/locations in settings

[Dominic Cleal <dominic () cleal org>]

CVE-2016-8639: Foreman settings dropdown menus may run stored XSS in
organization/location name

If an organization or location is created with a name containing HTML,
then the administrator-only Settings page will render the HTML as part
of a dropdown menu.

This may permit a stored XSS attack if an organization/location with
HTML in the name is created, then an administrator attempts to change
the default organization/location settings.

Mitigation: restrict permissions to organization and location creation,
use the API or CLI instead to change the default organization/location
settings.

Note: this CVE identifier has been assigned retrospectively, to describe
a vulnerability that was fixed during a refactoring of the affected code.

This issue was reported by Sanket Jagtap.

Affects Foreman 1.11.0 to 1.12.4
Fix released in Foreman 1.13.0

Patch (a refactoring):
https://github.com/theforeman/foreman/commit/d163507797c5d9c20249aa4d858465cbb74be229

More information:
https://theforeman.org/security.html#2016-8639
http://projects.theforeman.org/issues/15037
https://theforeman.org

-- 
Dominic Cleal
dominic () cleal org

Attachment: signature.asc
Description: OpenPGP digital signature