Description
A flaw was found in the Report Menu of ManageIQ where the title field was not properly sanitized for HTML and JavaScript inputs. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that Content Security Policy can prevent exploitation of this XSS however not all browsers support CSP.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-10777
Fixed in ivanchuk-7, jansa-1-rc2, master,
Description
A flaw was found in the Report Menu of ManageIQ where the title field was not properly sanitized for HTML and JavaScript inputs. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that Content Security Policy can prevent exploitation of this XSS however not all browsers support CSP.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-10777
Fixed in ivanchuk-7, jansa-1-rc2, master,