[
https://issues.apache.org/jira/browse/AMBARI-25172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zhiguo Wu updated AMBARI-25172:
-------------------------------
Fix Version/s: 2.8.0
> XSS - cross site scripting vulnerability
> ----------------------------------------
>
> Key: AMBARI-25172
> URL: https://issues.apache.org/jira/browse/AMBARI-25172
> Project: Ambari
> Issue Type: Bug
> Components: ambari-web
> Affects Versions: 2.6.2
> Reporter: Abdu Sahin
> Assignee: Antonenko Alexander
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.8.0
>
> Attachments: 2.6.patch, 2.7.patch, Screen Shot 2019-02-27 at
> 12.28.14.png
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> I noticed there are some web pages in Ambari Console vulnerable to XSS
> attack where attacker can perform a variety of actions: steal user's cookies,
> modify webpage contents, and perform operations with the site within user's
> session.
> *Steps to reproduce !Screen Shot 2019-02-27 at 12.28.14.png!*
> Step1: Login into the application.
> Step2: Go to Services -> YARN (you can select any service here).
> Step3: Select any existing widget in Metrics section and click on edit.
> Step 4: Click on edit
> Step 5: In the name field box, enter value “<img src=X onerror=alert(22)>”
> Step6: Click on Next button and then save button.
> Step 7: XSS popup will trigger once the summary page is refreshed.
> *Note:* Create widget page is also vulnerable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
