You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Zhiguo Wu (Jira)" <ji...@apache.org> on 2022/10/21 09:18:00 UTC
[jira] [Updated] (AMBARI-25172) XSS - cross site scripting vulnerability
[ https://issues.apache.org/jira/browse/AMBARI-25172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhiguo Wu updated AMBARI-25172:
-------------------------------
Fix Version/s: 2.8.0
> XSS - cross site scripting vulnerability
> ----------------------------------------
>
> Key: AMBARI-25172
> URL: https://issues.apache.org/jira/browse/AMBARI-25172
> Project: Ambari
> Issue Type: Bug
> Components: ambari-web
> Affects Versions: 2.6.2
> Reporter: Abdu Sahin
> Assignee: Antonenko Alexander
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.8.0
>
> Attachments: 2.6.patch, 2.7.patch, Screen Shot 2019-02-27 at 12.28.14.png
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> I noticed there are some web pages in Ambari Console vulnerable to XSS attack where attacker can perform a variety of actions: steal user's cookies, modify webpage contents, and perform operations with the site within user's session.
> *Steps to reproduce !Screen Shot 2019-02-27 at 12.28.14.png!*
> Step1: Login into the application.
> Step2: Go to Services -> YARN (you can select any service here).
> Step3: Select any existing widget in Metrics section and click on edit.
> Step 4: Click on edit
> Step 5: In the name field box, enter value “<img src=X onerror=alert(22)>”
> Step6: Click on Next button and then save button.
> Step 7: XSS popup will trigger once the summary page is refreshed.
> *Note:* Create widget page is also vulnerable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ambari.apache.org
For additional commands, e-mail: issues-help@ambari.apache.org