Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20277

XSS in geomap widget by placing script text in host visible name

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Duplicate
    • Icon: Trivial Trivial
    • None
    • 6.0.0beta1
    • Frontend (F)

      Problem description: XSS is executable in geomap widget (when clicking on a certain host in widget) by placing script text in the visible name of the host
      Example:

      Steps to reproduce:

      1. Create a host with the following string defined in parameter "Visible name" (don't forget to specify coordinates in Inventory tab): 
        <img src="x" onerror="alert('Im on a map!');"/>
      2. Open configuration of any Dashboard and and a Geomap widget:
        Specify the previously created host in parameter "Host
      3. Save widget and the dashboard
      4. Open dashboard in view mode and click on the host in the geomap widget
        Result: an alert with text "I'm on a map!" is displayed.
        Expected: JS defined in host Visible name parameter should not be executed if this host is used in a geomap widget

        1. JS_from_Geomap.gif
          JS_from_Geomap.gif
          1.75 MB

            Unassigned Unassigned
            solonkins Sergejs Olonkins
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: