Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20278

XSS in scheduled reports config form by placing script text in the subscribed user name

XMLWordPrintable

    • Sprint 83 (Dec 2021)
    • 0.5

      Problem description: XSS is executable in scheduled reports configuration form by placing script text in the name of the user that is subscribed to the report
      Example:

      Steps to reproduce:

      1. Create a user with the following string defined in parameter "Name": 
        <img src="x" onerror="alert('We all live in a yellow submarine!');"/>
      1. Open configuration of any existing Scheduled report and subscribe this user to this report
        Result 1: An alert with text "We all live in a yellow submarine!" is displayed once the user is subscribed
      2. Save configuration of the report
      3. Open the report in Edit mode
        Result 2: The alert is shown again. Some of the fields, like Owner, are missing their values.
        Expected: JS defined in user Name parameter should not be executed if the user is subscribed to a scheduled report

        1. JS_from_scheduled_reports.gif
          JS_from_scheduled_reports.gif
          1.28 MB
        2. Selection_999(825).png
          Selection_999(825).png
          65 kB
        3. Selection_999(826).png
          Selection_999(826).png
          63 kB

            agriscenko Andrejs Griščenko
            solonkins Sergejs Olonkins
            Team C
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: