[jira] [Assigned] (AMBARI-24419) XSS attack in Ambari Config History

Robert Levas (JIRA) Wed, 21 Nov 2018 05:32:17 -0800


     [ 
https://issues.apache.org/jira/browse/AMBARI-24419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Levas reassigned AMBARI-24419:
-------------------------------------

    Assignee: Robert Levas

> XSS attack in Ambari Config History
> -----------------------------------
>
>                 Key: AMBARI-24419
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24419
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-client
>    Affects Versions: 2.7.1
>            Reporter: Julia
>            Assignee: Robert Levas
>            Priority: Critical
>
> It is possible for an attacker to steal information or access from users by 
> executing malicious JavaScript. This is possible due to the use of a 
> javascript "eval()" function when loading the notes from config history 
> change. Leveraging this one user could create a malicious history entry to 
> steal access or information of another user. Upon viewing the malicious 
> historical entry the victim would be comprimised by directly scraping any 
> information on the page, modify its appearance, or having their session 
> information stolen.
>  
>   
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/81b481b3-397c-442e-b0aa-199ff793a05d?fileName=attachfilehandler%20%283%29.png!
>  
>  
> fg
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (AMBARI-24419) XSS attack in Ambari Config History

Reply via email to