Bug #8302
closedtraffic_graphs.widget.php potential XSS via settings
100%
Description
traffic_graphs.widget.php does not perform input validation on its settings, which can lead to a potential XSS due to the way the settings are used in JavaScript.
The widget needs input validation and to encode the setting output before use.
Updated by Jim Pingle almost 7 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset e7b5b82b121c76c4c6bf57229bfef0ea3bc33d5b.
Updated by Anonymous almost 7 years ago
On 2.4.2 CE, added traffic graph widget to dash, set refresh interval to 1s, saved, backed up config and edited the config.xml to replace <refreshinterval>1</refreshinterval>
with
<refreshinterval>"/><script>alert(1)</script></refreshinterval>
after the reboot, logged in and got an alert popup on the dashboard.
Upgraded to 2.4.3.a.20180308.0936, logged in, no alert popup on the dashboard, backed up config,
<refreshinterval>"/><script>alert(1)</script></refreshinterval>
still present in the config.
Cannot paste text with letters into the refresh interval field in Widget settings, results in "e1" showing up in the field. Also cannot type letters into the field.
Appears fixed.
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Resolved