Details

    • Team:
      Team A
    • Sprint:
      Sprint 15, Sprint 16
    • Story Points:
      1

      Description

      There are multiple reflected xss vulnerabilities in frontend.

      POC is the following maliciously crafted link ("zabbix.internal" should be replaced with your domain name):
      http://zabbix.internal/popup.php?dstfrm=expression&dstfld1=itemid&srctbl=items&srcfld2=name&srcfld1=itemid&dstfld2=%22:alert(document.cookie)%2B%22%22,%22

      This link leads to a page with item list. Each item name contains onclick handler with injected script.

      Clicking on any of the item names causes script execution:

      Another example would be the following link:
      http://zabbix.internal/screen.import.php?backurl=javascript:alert(document.cookie)&

      Click on "Cancel" button will cause execution of injected script.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                gcalenko Gregory Chalenko
                Reporter:
                vjaceslavs Vjaceslavs Bogdanovs
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: