[ https://issues.apache.org/jira/browse/AMBARI-25172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhiguo Wu updated AMBARI-25172: ------------------------------- Fix Version/s: 2.8.0 > XSS - cross site scripting vulnerability > ---------------------------------------- > > Key: AMBARI-25172 > URL: https://issues.apache.org/jira/browse/AMBARI-25172 > Project: Ambari > Issue Type: Bug > Components: ambari-web > Affects Versions: 2.6.2 > Reporter: Abdu Sahin > Assignee: Antonenko Alexander > Priority: Major > Labels: pull-request-available > Fix For: 2.8.0 > > Attachments: 2.6.patch, 2.7.patch, Screen Shot 2019-02-27 at > 12.28.14.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > I noticed there are some web pages in Ambari Console vulnerable to XSS > attack where attacker can perform a variety of actions: steal user's cookies, > modify webpage contents, and perform operations with the site within user's > session. > *Steps to reproduce !Screen Shot 2019-02-27 at 12.28.14.png!* > Step1: Login into the application. > Step2: Go to Services -> YARN (you can select any service here). > Step3: Select any existing widget in Metrics section and click on edit. > Step 4: Click on edit > Step 5: In the name field box, enter value “<img src=X onerror=alert(22)>” > Step6: Click on Next button and then save button. > Step 7: XSS popup will trigger once the summary page is refreshed. > *Note:* Create widget page is also vulnerable. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@ambari.apache.org For additional commands, e-mail: issues-h...@ambari.apache.org