[FELIX-6132] XSS possible in service console - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: webconsole-4.3.8
Fix Version/s: webconsole-4.3.12
Component/s: Web Console
Labels:
None

Description

Issue Summary : There is a XSS possible in system console.

Steps to reproduce :

Open a local instance
Open the link http://localhost:4502/system/console/services?filter=%22onmouseover=%22alert(%27xss%27)%22 in Internet Explorer. A pop would come when you mouse over the filter input box.
Chrome would auto flag XSS exploit and prevent page load

Expected Behavior : The pop up should not come up.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

xss_service_console_felix_6132.patch
17/May/19 10:20
5 kB
Ashok Kumar
escape_quotes_and_apos_for_service_filter.patch
20/May/19 05:30
3 kB
Ashok Kumar

Issue Links

supercedes

FELIX-4746 Escape outputting filter parameter in service servlet

Closed

Activity

People

Assignee:: Karl Pauls

Reporter:: Ashok Kumar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/May/19 10:16

Updated:: 27/May/19 11:55

Resolved:: 20/May/19 10:53