[ZBX-8111] XSS vulnerability in user names Created: 2014 Apr 17 Updated: 2020 Jul 16 Resolved: 2014 Apr 28 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.2.3rc2, 2.3.0 |
Fix Version/s: | None |
Type: | Defect (Security) | Priority: | Major |
Reporter: | Pavels Jelisejevs (Inactive) | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | frontend, security, xss | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
Create a user with alias "<script>alert('test')</script>". Go to the Administration -> Notifications page, an alert will be displayed there. This needs to be checked and fixed in all releases starting from 1.8. |
Comments |
Comment by Krists Krigers (Inactive) [ 2014 Apr 23 ] |
Fixed and committed in r44693, branch svn://svn.zabbix.com/branches/dev/ZBX-8111. |
Comment by Eduards Samersovs (Inactive) [ 2014 Apr 25 ] |
2.2 Tested, but for 1.8 seems will be different solution.. <kristsk> 1.8 does not use client side rotation. It uses images with rotated text generated on server side instead, so this is not an issue for 1.8 afaic. Eduards OK |
Comment by Krists Krigers (Inactive) [ 2014 Apr 28 ] |
Committed and merged:
|
Comment by Pavels Jelisejevs (Inactive) [ 2014 Apr 28 ] |
(1) This fix also needs to be noted in the 2.2 changelog. kristsk RESOLVED in r44906. jelisejev Thanks, CLOSED. |
Comment by Alexander Vladishev [ 2014 Jun 17 ] |
Caused regression |