[NMS-13229] Reflected XSS reported 2021-03-31 (update summary after disclosure) - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 27.1.0, Meridian-2020.1.7
Fix Version/s: Meridian-2019.1.19, Meridian-2020.1.8, Meridian-2021.1.0, 27.2.0
Component/s: Web UI - Admin
Security Level: Default (Default Security Scheme)
Labels:
- security

Sprint:
Horizon 2021 - Mar 31 - Apr 14, Horizon 2021 - Apr 14 - Apr 28, Horizon 2021 - Apr 28 - May 12
HB Backlog Status:
Backlog CM

Description

The reporter of this vulnerability prefers to remain anonymous.

A reflected cross-site scripting (XSS) vulnerability exists in the OpenNMS webapp, and can be exploited by any actor with the ability to search for events in the webapp. I have verified that it is exploitable in Horizon 27.1.0.

Steps to reproduce:

Log in as a normal, non-admin user
Open Status -> Events
In the "Event ID" box, enter <script>alert("XSS")</script> and submit the form

Expected result: Input validation neutralizes the attempted exploit, as already happens when searching for alarms and notifications
Actual result: Alert popup observed in empty search results page

Attachments

Activity

People

Assignee:: Christian Pape

Reporter:: Jeff Gehlbach

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/Apr/21 6:25 PM

Updated:: 18/May/21 7:47 PM

Resolved:: 05/May/21 10:54 AM