[NMS-13835] Cross site scripting - Reflected - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: High
Resolution: Fixed
Affects Version/s: Meridian-2021.1.3
Fix Version/s: Meridian-2019.1.31, Meridian-2020.1.20, Meridian-2021.1.12, Meridian-2022.1.0, 29.0.7
Component/s: None
Security Level: Default (Default Security Scheme)
Labels:
- security-moderate

Sprint:
Horizon 22 - Feb 2 - Feb 16, Horizon 22 - Feb 16 - Mar 2
HB Backlog Status:
Backlog

Description

The application does not filter text or other data for potentially malicious HTML content. This enables an attacker to craft arbitrary HTML content. Cross site scripting occurs when dynamically generated web pages/web services reflect user input as it is, that is not properly validated, allowing an attacker to steal session, force browsing etc.

Impact: Cross site scripting could result into site defacing, session hijacking and data theft etc. Usually, an attacker will attempt to manipulate an XSS vulnerability in order to present malicious HTML as if it came from a legitimate source. This attack is often combined with a social engineering attack that attempts to trick users into divulging their passwords, financial, or personal information.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

XSS_URLs-Parameters-November2021.xlsx
15 kB
10/Dec/21 11:35 AM
XSS-reflected.docx
71 kB
08/Dec/21 8:28 AM

Issue Links

related to

NMS-13931 NCR Pentest report

Open

mentioned in: Page Loading...

Activity

People

Assignee:: Gerald Humphries

Reporter:: Gaurav Pande

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 08/Dec/21 8:28 AM

Updated:: 17/Mar/22 8:05 PM

Resolved:: 01/Mar/22 2:47 PM

HB Grooming Date:: 14/Dec/21