Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Cross site scripting - Reflected

Description

The application does not filter text or other data for potentially malicious HTML content. This enables an attacker to craft arbitrary HTML content. Cross site scripting occurs when dynamically generated web pages/web services reflect user input as it is, that is not properly validated, allowing an attacker to steal session, force browsing etc.

Impact: Cross site scripting could result into site defacing, session hijacking and data theft etc. Usually, an attacker will attempt to manipulate an XSS vulnerability in order to present malicious HTML as if it came from a legitimate source. This attack is often combined with a social engineering attack that attempts to trick users into divulging their passwords, financial, or personal information.

Acceptance / Success Criteria

None

Attachments

2

Lucidchart Diagrams

Activity

Gerald Humphries February 8, 2022 at 4:18 AM

Reproduced and fixed the XSS vuln in the Outages List page.

A lot of the urls/params in the spreadsheet will output the given HTML as part of an error message. Is that what's triggering the XSS detection? Examples below.

POST http://localhost:8980/opennms/api/v2/geolocation
Accept: application/json
Cookie: ***
Authorization: ***
Content-Type: application/json

{
"strategy": "Alarms",
"severityFilter": "INDETERMINATE",
"includeAcknowledgedAlarms": "<script>alert(document.cookie)</script>"
}

Response body:

Can not construct instance of boolean from String value '<script>alert(document.cookie)</script>': only "true" or "false" recognized
at [Source: org.apache.cxf.transport.http.AbstractHTTPDestination$1@10ff08a1; line: 3, column: 36] (through reference chain: org.opennms.web.rest.v2.GeolocationQueryDTO["includeAcknowledgedAlarms"])

Or like this:

GET http://localhost:8980/opennms/rest/nodes/2/snmpinterfaces?limit=<script>alert(document.cookie)</script>
Accept: application/json, text/plain, /
Cookie: ***
Authorization: ***

Response body:

For input string: "<script>alert(document.cookie)</script>"

Jeff Jancula January 7, 2022 at 7:03 PM

Item marked as security-moderate. Normally this would be considered a high risk item, however, Meridian is usually installed in a secure environment. 

Gaurav Pande December 10, 2021 at 11:35 AM

Attaching the Endpoints  found vulnernable to XSS reflected. These needs to checked and remediated. 

 

Benjamin Reed December 8, 2021 at 3:16 PM

We already do some amount of XSS mitigation at the global level as well as in individual UI code – do you have specific concerns or subsystems where you have found issues?

Fixed

Details

Assignee

Reporter

Labels

HB Grooming Date

HB Backlog Status

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created December 8, 2021 at 8:28 AM
Updated November 10, 2022 at 7:12 PM
Resolved March 1, 2022 at 2:47 PM