XSS vulnerability in outage and alarm detail pages
Description
Acceptance / Success Criteria
None
Lucidchart Diagrams
Activity
Show:
Benjamin Reed December 6, 2010 at 12:20 PM
fixed in 1.8 in c6959cbdfd1dc1c4ce033220b0315c5b55725043, and in 1.9 in 9d1cc16dd72b559ed17be2458921b4ee2a463471
Fixed
Created December 6, 2010 at 12:19 PM
Updated January 27, 2017 at 4:20 PM
Resolved December 6, 2010 at 12:20 PM
security@opennms.org received the following email:
Hello,
I would like to report security problem with Cross Site Scripting (XSS)
putting following string
<<SCRIPT>alert("XSS");//<</SCRIPT>
to outage, alert sections (example links below)
http://demo.opennms.org/opennms/outage/detail.htm?id=%3C%3CSCRIPT%3Ealert%28%22XSS%22%29%3B%2F%2F%3C%3C%2FSCRIPT%3E
http://demo.opennms.org/opennms/alarm/detail.jsp?id=%3C%3CSCRIPT%3Ealert%28%22XSS%22%29%3B%2F%2F%3C%3C%2FSCRIPT%3E
cause script code execution.
I tested the demo.opennms.org and the newest version on my pc.
Best regards,
Michal Rzepka