[ZBX-12768] WASA Findings from NSOC Team - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.2.20rc1, 3.0.11rc1, 3.2.8rc1, 3.4.2rc1, 4.0.0alpha1, 4.0 (plan)
Component/s: Frontend (F)
Labels:
- frontend
- security
Environment:
Zabbix 3.0.9

Team:
Team D
Sprint:
Sprint 8, Sprint 9, Sprint 10, Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 32, Sprint 33, Sprint 34
Story Points:
1

Description

Our VA NSOC WASA team has found the 2 High Findings during a WASA security Scan and need assistance from Zabbix to address the findings.

1. Web Application is Vulnerable to Stored Cross-Site Scripting (XSS) Attacks

          1.	Login to the Zabbix application 
          2.	Navigate to Maps > Create Map > Add Icon > Add Link > URL:   Name: test URL: javascript:alert('eas') 
          3.	Update Map
          4.	Return to Map
          5.	Click created icon
          6.	Observe JavaScript POC.

2. Web Application is Vulnerable to Cross-Site Request Forgery (CSRF)

1.	Log on to Application
2.	Navigate Administration--> Users --> Create Users
3.	Click attached html
 
4.	Observe new user added

Attachments

Issue Links

is duplicated by

ZBX-13093 Cannot use LLD macro in the URL of the trigger prototype.

Closed

ZBX-12825 error: Wrong value for url field.

Closed

ZBX-11831 Zabbix 2.2.8 - URL redirection

Closed

part of

ZBX-12769 Reflected xss vulnerabilities

Closed

Activity

People

Assignee:: Gregory Chalenko

Reporter:: Eric Lutjen

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 2017 May 22 15:27

Updated:: 2020 Jul 16 14:10

Resolved:: 2018 May 24 09:07