Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Persistent Cross-Site Scripting (XSS) #9170

Closed
JavierOlmedo opened this issue Sep 7, 2018 · 1 comment
Closed

[SECURITY] Persistent Cross-Site Scripting (XSS) #9170

JavierOlmedo opened this issue Sep 7, 2018 · 1 comment

Comments

@JavierOlmedo
Copy link

Hi,

dashboard_name parameter is vulnerable to Persistent Cross-Site Scripting attacks through POST requests in /ajax_form.php resource.

This vulnerability, allow remote attackers to inject arbitrary web script or HTML.

Proof of concept (PoC)
Click in New Dashboard (+) and enter payload "<script>alert('XSS PoC')</script>" in name field

Greetings!
@murrant murrant mentioned this issue Sep 8, 2018
Merged
1 task
@laf
Copy link
Member

laf commented Sep 8, 2018

@JavierOlmedo Thanks for the report.

Please note for future reference that we ask people to contact us via email for security related issues: https://docs.librenms.org/#General/Security/ and that GitHub isn't used for reporting any form of bugs or security issues.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 7, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@laf @JavierOlmedo