New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two XSS issue found in 3.6.1 #351
Comments
|
Two CVEs were aparently assigned: CVE-2019-20378 and CVE-2019-20379. |
|
@vvuksan is there any plan to address these vulnerabilities? :) |
|
Could this have been fixed with this commit? -> ab90903 |
|
I have not been able to reproduce it from the main branch. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I visited the installed web page , I found this version has 2 Reflect Cross-site scripting (XSS) in the page. I found the apt-get installed the version 3.6.1 of ganglia-webfrontend default, maybe there are many ganglia users used apt-get to installed this ganglia-webfrontend version.
header.php
411 $custom_time = "or <span class="nobr">from <input type="TEXT" title="$examples" NAME="cs" ID="datepicker-cs" SIZE="17"";
412 if ($cs)
413 $custom_time .= " value="$cs"";
414 $custom_time .= "> to <input type="TEXT" title="$examples" name="ce" ID="datepicker-ce" SIZE="17"";
415 if ($ce)
416 $custom_time .= " value="$ce"";
417 $custom_time .= "> <input type="submit" value="Go">\n";
There some xss protect in the systen but can be by pass. attacter can use “onfocus” and “autofocus” to bypass.
url1:
/ganglia/?r=hour&cs=&ce=hou7z%22%20onfocus%3ddocument.location%3d1%20autofocus%3d%20oqqfa&c=unspecified&h=&tab=m&vn=&hide-hf=false
url2:
/ganglia/?r=hour&cs=quxfd%22%20onfocus%3ddocument.location%3d1%20autofocus%3d%20wp7f3&ce=&c=unspecified&h=&tab=m&vn=&hide-hf=false
Please confirm is it a serurity vulnerability .
The text was updated successfully, but these errors were encountered: