[ZBX-14336] Persistent xss vulnerability in Services (IT Services) - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0.0alpha1
Fix Version/s: 3.0.17rc1, 3.4.9rc1, 4.0.0alpha6, 4.0 (plan)
Component/s: Frontend (F)
Labels:
- frontend
- security
- xss

Team:
Team C
Sprint:
Sprint 31, Sprint 32
Story Points:
0.125

Description

There are multiple problems with Services (IT services):

Create IT service with name "?" ) & alert(""XSS when deleted from Frontend, custom JS (alert in this PoC) is executed.
IT service creation through API does not require any special permissions (as long as you can login).

Combination of two makes it a great place for persistent XSS attacks. Maybe we should fix API as well because user without permissions can create a mess in Services.

Attachments

Activity

People

Assignee:: Vjaceslavs Bogdanovs

Reporter:: Vjaceslavs Bogdanovs

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2017 Nov 24 16:06

Updated:: 2020 Jul 16 14:10

Resolved:: 2018 May 09 16:46