manila-ui is vulnerable to reflected cross-site scripting (XSS). The Create Share
form takes user-supplied metadata and passes it to a call to mark_safe()
. This allows remotely authenticated, but unprivileged users to insert JavaScript code.
rhn.redhat.com/errata/RHSA-2016-2115.html
rhn.redhat.com/errata/RHSA-2016-2116.html
rhn.redhat.com/errata/RHSA-2016-2117.html
www.openwall.com/lists/oss-security/2016/09/15/7
www.securityfocus.com/bid/93001
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/manila-ui/+bug/1597738
bugzilla.redhat.com/show_bug.cgi?id=1375147
rhn.redhat.com/errata/RHSA-2016-2115.html