Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-10703

Reflected file download vulnerability in /api/v2/scanreports

    XMLWordPrintable

    Details

    • Sprint:
      Horizon 2019 - September 11th

      Description

      Exploitable sample URL:

      https://dr-spb-jmx-1.example.com:8443/opennms/api/v2/scanreports;rfd.bat?_s=rfd||PRcxaxaxhacibidjbgjhaaabgieRP&limit=20&offset=0&order=desc&orderBy=timestamp

      Not restricting issue permissions scheme since RFD appears to affect primarily obsolete browsers, but we should also be mitigating it server-side if we are not already doing so.

      Copy from vulnerability scanner is available at URL in Environment field of this issue.

        Attachments

          Activity

            People

            • Assignee:
              mbrooks Matthew Brooks
              Reporter:
              jeffg Jeff Gehlbach
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: