[#ZBX-20277] XSS in geomap widget by placing script text in host visible name

[ZBX-20277] XSS in geomap widget by placing script text in host visible name Created: 2021 Nov 25 Updated: 2021 Nov 26 Resolved: 2021 Nov 26
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	6.0.0beta1
Fix Version/s:	None

Type:

Problem report

Priority:

Trivial

Reporter:

Sergejs Olonkins

Assignee:

Unassigned

Resolution:

Duplicate

Votes:

Labels:

fields, geomap, js

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Attachments:

JS_from_Geomap.gif

Issue Links:

Sub-task
part of	~~ZBX-20270~~	Zoom is broken in geomap initial view	Closed

Description

Problem description: XSS is executable in geomap widget (when clicking on a certain host in widget) by placing script text in the visible name of the host
Example:

Steps to reproduce:

Create a host with the following string defined in parameter "Visible name" (don't forget to specify coordinates in Inventory tab):
```
<img src="x" onerror="alert('Im on a map!');"/>
```
Open configuration of any Dashboard and and a Geomap widget:
Specify the previously created host in parameter "Host
Save widget and the dashboard
Open dashboard in view mode and click on the host in the geomap widget
Result: an alert with text "I'm on a map!" is displayed.
Expected: JS defined in host Visible name parameter should not be executed if this host is used in a geomap widget

Comments

Comment by Valdis Murzins [ 2021 Nov 26 ]

This task will be fixed as part of ~~ZBX-20270~~.

Generated at Sun Apr 06 12:55:26 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-20277] XSS in geomap widget by placing script text in host visible name Created: 2021 Nov 25 Updated: 2021 Nov 26 Resolved: 2021 Nov 26