[ZBX-12768] WASA Findings from NSOC Team Created: 2017 May 22 Updated: 2024 Apr 10 Resolved: 2018 May 24 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | None |
Fix Version/s: | 2.2.20rc1, 3.0.11rc1, 3.2.8rc1, 3.4.2rc1, 4.0.0alpha1, 4.0 (plan) |
Type: | Defect (Security) | Priority: | Major |
Reporter: | Eric Lutjen | Assignee: | Gregory Chalenko |
Resolution: | Fixed | Votes: | 0 |
Labels: | frontend, security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Zabbix 3.0.9 |
Issue Links: |
|
||||||||||||||||||||||||
Team: | Team D | ||||||||||||||||||||||||
Team: | Team D | ||||||||||||||||||||||||
Sprint: | Sprint 8, Sprint 9, Sprint 10, Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 32, Sprint 33, Sprint 34 | ||||||||||||||||||||||||
Story Points: | 1 |
Description |
Our VA NSOC WASA team has found the 2 High Findings during a WASA security Scan and need assistance from Zabbix to address the findings. 1. Web Application is Vulnerable to Stored Cross-Site Scripting (XSS) Attacks
1. Login to the Zabbix application
2. Navigate to Maps > Create Map > Add Icon > Add Link > URL: Name: test URL: javascript:alert('eas')
3. Update Map
4. Return to Map
5. Click created icon
6. Observe JavaScript POC.
2. Web Application is Vulnerable to Cross-Site Request Forgery (CSRF)
1. Log on to Application
2. Navigate Administration--> Users --> Create Users
3. Click attached html
4. Observe new user added
|
Comments |
Comment by richlv [ 2017 May 22 ] |
"Click attached html" - could you please attach the proof of concept html ? |
Comment by Eric Lutjen [ 2017 May 22 ] |
From the document provided it seems that I can not save the html file the security team is referencing. |
Comment by Oleg Egorov (Inactive) [ 2017 Jun 27 ] |
(1) Translation strings changes? gcalenko RESOLVED No translation string changes oleg.egorov New strings:
gcalenko CLOSED Thank you. |
Comment by Oleg Egorov (Inactive) [ 2017 Aug 09 ] |
(4) In map configuration in users.... possible save not allowed URL gcalenko RESOLVED r71055 r71059 r71063 Added validation for:
Miks.Kronkalns CLOSED |
Comment by Gregory Chalenko [ 2017 Aug 23 ] |
Fixed in:
|
Comment by Gregory Chalenko [ 2017 Aug 31 ] |
Fixed in:
|
Comment by Martins Valkovskis [ 2017 Sep 26 ] |
Updated documentation about the new constant: |
Comment by Ivo Kurzemnieks [ 2018 Feb 16 ] |
(11) [D] API documentation? gcalenko Added changes: RESOLVED iivs CLOSED |