[
https://issues.apache.org/jira/browse/AMBARI-24418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16694706#comment-16694706
]
Robert Levas commented on AMBARI-24418:
---------------------------------------
[~juliaw]...
Thanks for the report. Can you email this to
[[email protected]|mailto:[email protected]] and
[[email protected]|mailto:[email protected]] with details on
how to reproduce the issue. Do not add these details here since we do not want
suck information out in the public until the vulnerability is fixed.
> XSS attack in Ambari Alerts
> ---------------------------
>
> Key: AMBARI-24418
> URL: https://issues.apache.org/jira/browse/AMBARI-24418
> Project: Ambari
> Issue Type: Bug
> Components: ambari-client
> Affects Versions: 2.7.1
> Reporter: Julia
> Assignee: Robert Levas
> Priority: Critical
>
>
> It is possible for an attacker to steal information or access from users by
> executing malicious javascript. This is possible due to the use of a
> javascript "eval()" function when loading the description of alerts.
> Leveraging this one user could create a malicious alert to steal access or
> information of another user. Upon viewing the maliicous alert the vicitim
> would be comprimised by directly scraping any information on the page, modify
> its appearence, or having their session information stolen.
>
>
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/8dfe7e85-4c5a-4632-90c8-73696cfe727a?fileName=attachfilehandler%20%282%29.png!
> Repro steps
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/6aebfcf6-9d34-45d5-bf88-c2d43431f84f?fileName=attachfilehandler%20%281%29.png!
>
>
>
>
>
>
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
