Details
-
Type:
Incident report
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 4.0.0alpha1
-
Fix Version/s: 3.0.17rc1, 3.4.9rc1, 4.0.0alpha6, 4.0 (plan)
-
Component/s: Frontend (F)
-
Team:Team C
-
Sprint:Sprint 31, Sprint 32
-
Story Points:0.125
Description
There are multiple problems with Services (IT services):
- Create IT service with name "?" ) & alert(""XSS when deleted from Frontend, custom JS (alert in this PoC) is executed.
- IT service creation through API does not require any special permissions (as long as you can login).
Combination of two makes it a great place for persistent XSS attacks. Maybe we should fix API as well because user without permissions can create a mess in Services.