Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20277

XSS in geomap widget by placing script text in host visible name

    XMLWordPrintable

Details

    • Problem report
    • Status: Closed
    • Trivial
    • Resolution: Duplicate
    • 6.0.0alpha8 (master)
    • None
    • Frontend (F)

    Description

      Problem description: XSS is executable in geomap widget (when clicking on a certain host in widget) by placing script text in the visible name of the host
      Example:

      Steps to reproduce:

      1. Create a host with the following string defined in parameter "Visible name" (don't forget to specify coordinates in Inventory tab):
        <img src="x" onerror="alert('Im on a map!');"/>
        
      2. Open configuration of any Dashboard and and a Geomap widget:
        Specify the previously created host in parameter "Host
      3. Save widget and the dashboard
      4. Open dashboard in view mode and click on the host in the geomap widget
        Result: an alert with text "I'm on a map!" is displayed.
        Expected: JS defined in host Visible name parameter should not be executed if this host is used in a geomap widget

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              solonkins Sergejs Olonkins
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: