[ZBX-14336] Persistent xss vulnerability in Services (IT Services) Created: 2017 Nov 24  Updated: 2020 Jul 16  Resolved: 2018 May 09

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 4.0.0alpha1
Fix Version/s: 3.0.17rc1, 3.4.9rc1, 4.0.0alpha6, 4.0 (plan)

Type: Defect (Security) Priority: Major
Reporter: Vjaceslavs Bogdanovs Assignee: Vjaceslavs Bogdanovs
Resolution: Fixed Votes: 0
Labels: frontend, security, xss
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Team: Team C
Sprint: Sprint 31, Sprint 32
Story Points: 0.125

 Description   

There are multiple problems with Services (IT services):

  1. Create IT service with name "?" ) & alert(""XSS when deleted from Frontend, custom JS (alert in this PoC) is executed.
  2. IT service creation through API does not require any special permissions (as long as you can login).

Combination of two makes it a great place for persistent XSS attacks. Maybe we should fix API as well because user without permissions can create a mess in Services.



 Comments   
Comment by Vjaceslavs Bogdanovs [ 2018 Apr 12 ]

(1) No translation strings changed.

iivs CLOSED

Comment by Vjaceslavs Bogdanovs [ 2018 Apr 16 ]

Available in:

3.0.17rc1 r79703
3.4.9rc1 r79704
4.0.0alpha6 (trunk) r79706

Changelog was left unchanged.

Generated at Thu Mar 28 19:25:39 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.