Abdu Sahin created AMBARI-25172:
-----------------------------------
Summary: XSS - cross site scripting vulnerability
Key: AMBARI-25172
URL: https://issues.apache.org/jira/browse/AMBARI-25172
Project: Ambari
Issue Type: Bug
Components: ambari-web
Affects Versions: 2.6.2
Reporter: Abdu Sahin
Attachments: Screen Shot 2019-02-27 at 12.28.14.png
I noticed there are some web pages in Ambari Console vulnerable to XSS attack
where attacker can perform a variety of actions: steal user's cookies, modify
webpage contents, and perform operations with the site within user's session.
*Steps to reproduce !Screen Shot 2019-02-27 at 12.28.14.png!*
Step1: Login into the application.
Step2: Go to Services -> YARN (you can select any service here).
Step3: Select any existing widget in Metrics section and click on edit.
Step 4: Click on edit
Step 5: In the name field box, enter value “<img src=X onerror=alert(22)>”
Step6: Click on Next button and then save button.
Step 7: XSS popup will trigger once the summary page is refreshed.
*Note:* Create widget page is also vulnerable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
