Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-14336

Persistent xss vulnerability in Services (IT Services)

    XMLWordPrintable

Details

    • Team C
    • Sprint 31, Sprint 32
    • 0.125

    Description

      There are multiple problems with Services (IT services):

      1. Create IT service with name "?" ) & alert(""XSS when deleted from Frontend, custom JS (alert in this PoC) is executed.
      2. IT service creation through API does not require any special permissions (as long as you can login).

      Combination of two makes it a great place for persistent XSS attacks. Maybe we should fix API as well because user without permissions can create a mess in Services.

      Attachments

        Activity

          People

            vjaceslavs Vjaceslavs Bogdanovs
            vjaceslavs Vjaceslavs Bogdanovs
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: