New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Persistent Cross-Site Scripting (XSS) #9170

Closed
JavierOlmedo opened this Issue Sep 7, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@JavierOlmedo

JavierOlmedo commented Sep 7, 2018

Hi,

dashboard_name parameter is vulnerable to Persistent Cross-Site Scripting attacks through POST requests in /ajax_form.php resource.

This vulnerability, allow remote attackers to inject arbitrary web script or HTML.

Proof of concept (PoC)
Click in New Dashboard (+) and enter payload "<script>alert('XSS PoC')</script>" in name field

Greetings!

@murrant murrant referenced this issue Sep 8, 2018

Merged

Sanitize data in dashboard add/edit/delete #9171

1 of 1 task complete

@murrant murrant closed this in #9171 Sep 8, 2018

@laf

This comment has been minimized.

Member

laf commented Sep 8, 2018

@JavierOlmedo Thanks for the report.

Please note for future reference that we ask people to contact us via email for security related issues: https://docs.librenms.org/#General/Security/ and that GitHub isn't used for reporting any form of bugs or security issues.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.