CVE-2015-3162

Name of the Vulnerable Software and Affected Versions Beaker version 20.1

Description A cross-site scripting (XSS) issue exists in the edit comment dialog, allowing remote authenticated users to inject arbitrary web script or HTML by writing a crafted comment on an acked or nacked canceled job. This occurs due to insufficient input validation in the bkr/server/widgets.py file.

Recommendations For Beaker version 20.1, as a temporary workaround, consider restricting access to the edit comment dialog until a patch is available. Avoid using the edit comment feature on acked or nacked canceled jobs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.