Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20278

XSS in scheduled reports config form by placing script text in the subscribed user name

    XMLWordPrintable

Details

    • Problem report
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • 5.4.9rc1, 6.0.0alpha8 (master)
    • None
    • Frontend (F)

    Description

      Problem description: XSS is executable in scheduled reports configuration form by placing script text in the name of the user that is subscribed to the report
      Example:

      Steps to reproduce:

      1. Create a user with the following string defined in parameter "Name":
        <img src="x" onerror="alert('We all live in a yellow submarine!');"/>
        
      2. Open configuration of any existing Scheduled report and subscripe this user to this report
        Result 1: An alert with text "We all live in a yellow submarine!" is displayed once the user is subscribed
      3. Save configuration of the report
      4. Open the report in Edit mode
        Result 2: The alert is shown again. Some of the fields, like Owner, are missing their values.
        Expected: JS defined in user Name parameter should not be executed if the user is subscribed to a scheduled report

      Attachments

        Activity

          People

            zabbix.dev Zabbix Development Team
            solonkins Sergejs Olonkins
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: