Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-14336

Persistent xss vulnerability in Services (IT Services)

XMLWordPrintable

    • Team C
    • Sprint 31, Sprint 32
    • 0.125

      There are multiple problems with Services (IT services):

      1. Create IT service with name "?" ) & alert(""XSS when deleted from Frontend, custom JS (alert in this PoC) is executed.
      2. IT service creation through API does not require any special permissions (as long as you can login).

      Combination of two makes it a great place for persistent XSS attacks. Maybe we should fix API as well because user without permissions can create a mess in Services.

            vjaceslavs Vjaceslavs Bogdanovs
            vjaceslavs Vjaceslavs Bogdanovs
            Team C
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: