Julia created AMBARI-24418:
------------------------------
Summary: XSS attack in Ambari Alerts
Key: AMBARI-24418
URL: https://issues.apache.org/jira/browse/AMBARI-24418
Project: Ambari
Issue Type: Bug
Components: ambari-client
Affects Versions: 2.7.1
Reporter: Julia
It is possible for an attacker to steal information or access from users by
executing malicious javascript. This is possible due to the use of a javascript
"eval()" function when loading the description of alerts. Leveraging this one
user could create a malicious alert to steal access or information of another
user. Upon viewing the maliicous alert the vicitim would be comprimised by
directly scraping any information on the page, modify its appearence, or having
their session information stolen.
!https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/8dfe7e85-4c5a-4632-90c8-73696cfe727a?fileName=attachfilehandler%20%282%29.png!
Repro steps
!https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/6aebfcf6-9d34-45d5-bf88-c2d43431f84f?fileName=attachfilehandler%20%281%29.png!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
