Foreman CVE-2018-14664 Multiple HTML Injection Vulnerabilities

Bugtraq ID:	106553
Class:	Input Validation Error
CVE:	CVE-2018-14664
Remote:	Yes
Local:	No
Published:	Oct 10 2019 12:00AM
Updated:	Oct 10 2019 12:00AM
Credit:	Sanket Jagtap (Red Hat Pune India).
Vulnerable:	Redhat Satellite 6 Foreman Foreman 1.18
Not Vulnerable:	Foreman Foreman 1.20 Foreman Foreman 1.19.1 Foreman Foreman 1.18.3

Foreman CVE-2018-14664 Multiple HTML Injection Vulnerabilities

Foreman is prone to a multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Foreman CVE-2018-14664 Multiple HTML Injection Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

Foreman CVE-2018-14664 Multiple HTML Injection Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Foreman CVE-2018-14664 Multiple HTML Injection Vulnerabilities

References:

• Foreman Homepage (Foreman)
  
• Bug 1638130 (CVE-2018-14664) - CVE-2018-14664 foreman: Persisted XSS on all pag (Redhat)
  
• CVE-2018-14664 - Persisted XSS on all pages that use breadcrumbs (theforeman)
  
• CVE-2018-14664 (Redhat)