[
https://issues.apache.org/jira/browse/AMBARI-25172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated AMBARI-25172:
------------------------------------
Labels: pull-request-available (was: )
> XSS - cross site scripting vulnerability
> ----------------------------------------
>
> Key: AMBARI-25172
> URL: https://issues.apache.org/jira/browse/AMBARI-25172
> Project: Ambari
> Issue Type: Bug
> Components: ambari-web
> Affects Versions: 2.6.2
> Reporter: Abdu Sahin
> Assignee: Antonenko Alexander
> Priority: Major
> Labels: pull-request-available
> Attachments: Screen Shot 2019-02-27 at 12.28.14.png
>
>
> I noticed there are some web pages in Ambari Console vulnerable to XSS
> attack where attacker can perform a variety of actions: steal user's cookies,
> modify webpage contents, and perform operations with the site within user's
> session.
> *Steps to reproduce !Screen Shot 2019-02-27 at 12.28.14.png!*
> Step1: Login into the application.
> Step2: Go to Services -> YARN (you can select any service here).
> Step3: Select any existing widget in Metrics section and click on edit.
> Step 4: Click on edit
> Step 5: In the name field box, enter value “<img src=X onerror=alert(22)>”
> Step6: Click on Next button and then save button.
> Step 7: XSS popup will trigger once the summary page is refreshed.
> *Note:* Create widget page is also vulnerable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
