[
https://issues.apache.org/jira/browse/AMBARI-24419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16694707#comment-16694707
]
Robert Levas commented on AMBARI-24419:
---------------------------------------
[~juliaw]...
Thanks for the report. Can you email this to
[[email protected]|mailto:[email protected]] and
[[email protected]|mailto:[email protected]] with details on
how to reproduce the issue. Do not add these details here since we do not want
suck information out in the public until the vulnerability is fixed.
> XSS attack in Ambari Config History
> -----------------------------------
>
> Key: AMBARI-24419
> URL: https://issues.apache.org/jira/browse/AMBARI-24419
> Project: Ambari
> Issue Type: Bug
> Components: ambari-client
> Affects Versions: 2.7.1
> Reporter: Julia
> Assignee: Robert Levas
> Priority: Critical
>
> It is possible for an attacker to steal information or access from users by
> executing malicious JavaScript. This is possible due to the use of a
> javascript "eval()" function when loading the notes from config history
> change. Leveraging this one user could create a malicious history entry to
> steal access or information of another user. Upon viewing the malicious
> historical entry the victim would be comprimised by directly scraping any
> information on the page, modify its appearance, or having their session
> information stolen.
>
>
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/81b481b3-397c-442e-b0aa-199ff793a05d?fileName=attachfilehandler%20%283%29.png!
>
>
> fg
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
