Julia created AMBARI-24419:
------------------------------
Summary: XSS attack in Ambari Config History
Key: AMBARI-24419
URL: https://issues.apache.org/jira/browse/AMBARI-24419
Project: Ambari
Issue Type: Bug
Components: ambari-client
Affects Versions: 2.7.1
Reporter: Julia
It is possible for an attacker to steal information or access from users by
executing malicious JavaScript. This is possible due to the use of a javascript
"eval()" function when loading the notes from config history change. Leveraging
this one user could create a malicious history entry to steal access or
information of another user. Upon viewing the malicious historical entry the
victim would be comprimised by directly scraping any information on the page,
modify its appearance, or having their session information stolen.
!https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/81b481b3-397c-442e-b0aa-199ff793a05d?fileName=attachfilehandler%20%283%29.png!
fg
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
