[ZBX-9092] XSS JQuery-ui CVE-2010-5312 Created: 2014 Dec 01 Updated: 2020 Jul 16 Resolved: 2015 May 22 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 2.0.13 |
| Fix Version/s: | None |
| Type: | Defect (Security) | Priority: | Major |
| Reporter: | Volker Fröhlich | Assignee: | Unassigned |
| Resolution: | Won't fix | Votes: | 0 |
| Labels: | security, vulnerability | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Zabbix 2.0 ships JQuery-ui version 1.8.20, which is apparently susceptible for this kind of XSS attack. Other versions of Zabbix should not be affected. |
| Comments |
| Comment by Volker Fröhlich [ 2014 Dec 01 ] |
|
And when I say version I mean major versions! |
| Comment by richlv [ 2014 Dec 01 ] |
|
the best info seems to be at http://bugs.jqueryui.com/ticket/6016 |
| Comment by Alexei Vladishev [ 2014 Dec 01 ] |
|
I quickly checked our source code, it looks like Zabbix is not vulnerable. There is just a single place in Zabbix code where we use fixed string (therefore it's not possible to inject any JS) title for jQuery dialog. Front-end developers will have a look at the code more carefully soon. arvids.godjuks Checked the code for latest versions of 2.0, 2.2, 2.5 and 2.5 - as alexei has written, code that uses the title of the dialog, is using the constant strings in code to set the dialog titles, so code is not affected by the CVE in question. |
| Comment by Volker Fröhlich [ 2014 Dec 02 ] |
|
Thanks for checking so quickly! I just realized that there's actually another CVE. Can you have a look a this one too? https://bugzilla.redhat.com/show_bug.cgi?id=1166064 oleg.egorov In Zabbix 2.4 and 2.5 jquery version is 1.10.2 and there this issue don't exist. |
| Comment by richlv [ 2014 Dec 04 ] |
|
reopening as per the previous comment |