CVE-2015-5282: Foreman is affected by a stored XSS vulnerability in its parameter key/value web UI.
A checkbox exists to hide the values of parameters stored in the application to mask them from casual viewing. When changing the hide/show checkbox, the value is masked/unmasked in the UI, but the parameter value was not properly escaped when updating the UI which allowed stored HTML/JS etc. to be evaluated.
Affects: Foreman 1.7.0 or higher
Fix to be released in Foreman 1.10.0
Patch:
https://github.com/theforeman/foreman/commit/4f3555b217be8723e8045f9816d147b5f684ec57
More information:
http://theforeman.org/security.html#2015-5282
http://projects.theforeman.org/issues/11859
http://theforeman.org/
- --
Dominic Cleal