Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13229

Reflected XSS reported 2021-03-31 (update summary after disclosure)

    XMLWordPrintable

    Details

    • Sprint:
      Horizon 2021 - Mar 31 - Apr 14, Horizon 2021 - Apr 14 - Apr 28, Horizon 2021 - Apr 28 - May 12
    • HB Backlog Status:
      Backlog CM

      Description

      The reporter of this vulnerability prefers to remain anonymous.

      A reflected cross-site scripting (XSS) vulnerability exists in the OpenNMS webapp, and can be exploited by any actor with the ability to search for events in the webapp. I have verified that it is exploitable in Horizon 27.1.0.

      Steps to reproduce:

      1. Log in as a normal, non-admin user
      2. Open Status -> Events
      3. In the "Event ID" box, enter <script>alert("XSS")</script> and submit the form

      Expected result: Input validation neutralizes the attempted exploit, as already happens when searching for alarms and notifications
      Actual result: Alert popup observed in empty search results page

        Attachments

          Activity

            People

            Assignee:
            cpape Christian Pape
            Reporter:
            jeffg Jeff Gehlbach
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration