[jira] [Comment Edited] (AMBARI-24418) XSS attack in Ambari Alerts

Thu, 10 Jan 2019 09:40:54 -0800 


    [ 
https://issues.apache.org/jira/browse/AMBARI-24418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16694706#comment-16694706
 ] 

Robert Levas edited comment on AMBARI-24418 at 1/10/19 5:39 PM:
----------------------------------------------------------------

[~juliaw]...

Thanks for the report.  Can you email this to 
[[email protected]|mailto:[email protected]] and 
[[email protected]|mailto:[email protected]] with details on 
how to reproduce the issue.  Do not add these details here since we do not want 
such information out in the public until the vulnerability is fixed. 

 


was (Author: rlevas):
[~juliaw]...

Thanks for the report.  Can you email this to 
[[email protected]|mailto:[email protected]] and 
[[email protected]|mailto:[email protected]] with details on 
how to reproduce the issue.  Do not add these details here since we do not want 
suck information out in the public until the vulnerability is fixed. 

 

> XSS attack in Ambari Alerts
> ---------------------------
>
>                 Key: AMBARI-24418
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24418
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-client
>    Affects Versions: 2.7.1
>            Reporter: Julia
>            Assignee: Robert Levas
>            Priority: Critical
>
>  
> It is possible for an attacker to steal information or access from users by 
> executing malicious javascript. This is possible due to the use of a 
> javascript "eval()" function when loading the description of alerts. 
> Leveraging this one user could create a malicious alert to steal access or 
> information of another user. Upon viewing the maliicous alert the vicitim 
> would be comprimised by directly scraping any information on the page, modify 
> its appearence, or having their session information stolen.
>  
>   
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/8dfe7e85-4c5a-4632-90c8-73696cfe727a?fileName=attachfilehandler%20%282%29.png!
> Repro steps
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/6aebfcf6-9d34-45d5-bf88-c2d43431f84f?fileName=attachfilehandler%20%281%29.png!
>  
>  
>  
>  
>  
>  
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to