[ZBX-8111] XSS vulnerability in user names Created: 2014 Apr 17 Updated: 2020 Jul 16 Resolved: 2014 Apr 28 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 2.2.3rc2, 2.3.0 |
| Fix Version/s: | None |
| Type: | Defect (Security) | Priority: | Major |
| Reporter: | Pavels Jelisejevs (Inactive) | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | frontend, security, xss | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Create a user with alias "<script>alert('test')</script>". Go to the Administration -> Notifications page, an alert will be displayed there. This needs to be checked and fixed in all releases starting from 1.8. |
| Comments |
| Comment by Krists Krigers (Inactive) [ 2014 Apr 23 ] |
|
Fixed and committed in r44693, branch svn://svn.zabbix.com/branches/dev/ZBX-8111. |
| Comment by Eduards Samersovs (Inactive) [ 2014 Apr 25 ] |
|
2.2 Tested, but for 1.8 seems will be different solution.. <kristsk> 1.8 does not use client side rotation. It uses images with rotated text generated on server side instead, so this is not an issue for 1.8 afaic. Eduards OK |
| Comment by Krists Krigers (Inactive) [ 2014 Apr 28 ] |
|
Committed and merged:
|
| Comment by Pavels Jelisejevs (Inactive) [ 2014 Apr 28 ] |
|
(1) This fix also needs to be noted in the 2.2 changelog. kristsk RESOLVED in r44906. jelisejev Thanks, CLOSED. |
| Comment by Alexander Vladishev [ 2014 Jun 17 ] |
|
Caused regression |