CVE-2016-8613

Name of the Vulnerable Software and Affected Versions Foreman version 1.5.1

Description A flaw in the remote execution plugin allows commands to be run on hosts over SSH from the Foreman web UI. When a job containing HTML tags is submitted, the console output in the web UI does not escape the output, causing any HTML or JavaScript to run in the user's browser. This results in a stored XSS issue, as the output of the job is stored.

Recommendations For Foreman version 1.5.1, update to a version that includes a fix for this issue to prevent stored XSS attacks. As a temporary workaround, consider disabling the remote execution plugin until a patch is available. Restrict access to the web UI to minimize the risk of exploitation. Avoid submitting jobs with HTML tags in the affected Foreman version until the issue is resolved.