XSS vulnerability in OpenNMS web UI

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.16, 1.9.93
Fix Version/s: 1.8.17, 1.10.0
Component/s: Web UI - General
Security Level: Default (Default Security Scheme)
Labels:
- security
- web

Description

By intentionally failing to log in with a specially crafted and invalid username, a remote attacker with access to the OpenNMS web UI can cause a logged-in user's browser to execute arbitrary Javascript code when viewing the events and/or alarms browser in the OpenNMS web UI. An attacker does not need a valid login account, but does need to be able to reach the login page, in order to exploit this vulnerability.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Jeff Gehlbach added a comment - 19/Jan/12 11:30 AM

Updating issue in advance of releases containing fix.

Show

Jeff Gehlbach added a comment - 19/Jan/12 11:30 AM Updating issue in advance of releases containing fix.

Hide

Permalink

Benjamin Reed added a comment - 07/Feb/12 3:34 PM

this was fixed a bit ago, just never got marked as such

Show

Benjamin Reed added a comment - 07/Feb/12 3:34 PM this was fixed a bit ago, just never got marked as such

People

Assignee:

Jeff Gehlbach

Reporter:

Jeff Gehlbach

Vote (0)

Watch (0)

Dates

Created:

09/Jan/12 12:30 PM

Updated:

07/Feb/12 3:34 PM

Resolved:

07/Feb/12 3:34 PM

Agile

View on Board