Sprint 59 (Dec 2019)
Persistent XSS vulnerabilities were introduced while introducing changes in
This affects multiple pages, for example problem view:
- Cause trigger to go to the problem state.
- Go to problems page and click on URL in trigger popup menu:
A bit harder it is to perform the same trick in Network maps as user macros are not enabled for network map URL. But still, it is possible through inventory macros:
- Create map with host element. Add URL with inventory URL macro (
- Save map
- Go to problems page and click on URL in map element popup menu:
Overall problem is caused by invalid validation termination when some of the conditions are met while others are not.
This is the first commit that broke the validation.