Two XSS vulnerabilities in webapp

Description

See support ticket https://mynms.opennms.com/Ticket/Display.html?id=3040

There is a reflected XSS vulnerability in alarm/details.htm which can be triggered by entering <script>window.alert("gotcha!")</script> as the alarm ID in the search box of alarm/index.jsp.

There is an additional XSS vulnerability that manifests throughout the webapp if a node's label contains a <script> tag. An untrusted actor with PROVISION_ROLE could easily exploit this vector.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Gabriela Lopez January 30, 2023 at 6:35 PM

Information Security risk assessed as a medium.

CVSS 6.6 x med likelihood .8 = 5.3 medium

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

Jeff Gehlbach May 23, 2014 at 2:01 PM

Fixed in a branch, squash-merged and pushed to 1.12 branch.

Please change the visibility of this issue after 1.12.7 is released.

Thanks!
-jeff

Fixed

Details
Assignee
Jeff Gehlbach
Reporter
Jeff Gehlbach
Labels
bugsecurity-mediumsupportweb
Components
Web UI - General
Fix versions
1.12.7
Affects versions
1.12.6
Priority
Blocker

PagerDuty

Created May 23, 2014 at 1:52 PM

Updated January 30, 2023 at 6:35 PM

Resolved May 23, 2014 at 2:01 PM

Configure

Two XSS vulnerabilities in webapp

Description

Acceptance / Success Criteria

Lucidchart Diagrams

Activity

Gabriela Lopez January 30, 2023 at 6:35 PM

Jeff Gehlbach May 23, 2014 at 2:01 PM

DetailsAssigneeJeff GehlbachJeff GehlbachReporterJeff GehlbachJeff GehlbachLabelsbugsecurity-mediumsupportwebComponentsWeb UI - GeneralFix versions1.12.7Affects versions1.12.6PriorityBlocker

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

PagerDutyPagerDuty Incident

PagerDuty

Details
Assignee
Jeff Gehlbach
Reporter
Jeff Gehlbach
Labels
bugsecurity-mediumsupportweb
Components
Web UI - General
Fix versions
1.12.7
Affects versions
1.12.6
Priority
Blocker

PagerDuty