CVE-2018-14664

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) flaw in Foreman versions 1.18 and later. It exists because the breadcrumbs bar does not properly escape HTML code when displaying user-controlled attributes. An authenticated user with permissions to edit the attribute used in the breadcrumbs bar can inject malicious script code that will be stored and executed on the client side. Affected versions include Foreman 1.18 through 1.20 (as fixed in later releases). [1][2]

Exploitation

An attacker must have a valid Foreman account with permissions to modify the attribute that populates the breadcrumbs bar. The attacker can then craft a payload containing JavaScript and set it as the attribute value. When any user (including administrators) navigates to a page that renders the breadcrumbs bar, the injected script executes in the context of the victim's browser. No additional user interaction is required beyond viewing the affected page. [2]

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. This can result in session hijacking, data theft, defacement, or other client-side attacks. The attacker can perform actions on behalf of the victim, potentially escalating privileges or accessing sensitive information within the Foreman application. [2]

Mitigation

The fix was released in Foreman 1.20.1.34-1.el7sat as part of Red Hat Satellite 6.5 (RHSA-2019:1222) [1]. Users should upgrade to the patched version. No workarounds are documented; restricting permissions to edit breadcrumb attributes may reduce risk but does not fully mitigate. [1][2]