Bug #8302
closed
traffic_graphs.widget.php potential XSS via settings
Added by Jim Pingle about 8 years ago.
Updated almost 8 years ago.
Affected Architecture:
All
Description
traffic_graphs.widget.php does not perform input validation on its settings, which can lead to a potential XSS due to the way the settings are used in JavaScript.
The widget needs input validation and to encode the setting output before use.
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:e7b5b82b121c76c4c6bf57229bfef0ea3bc33d5b.
On 2.4.2 CE, added traffic graph widget to dash, set refresh interval to 1s, saved, backed up config and edited the config.xml to replace <refreshinterval>1</refreshinterval>
with
<refreshinterval>"/><script>alert(1)</script></refreshinterval>
after the reboot, logged in and got an alert popup on the dashboard.
Upgraded to 2.4.3.a.20180308.0936, logged in, no alert popup on the dashboard, backed up config,
<refreshinterval>"/><script>alert(1)</script></refreshinterval>
still present in the config.
Cannot paste text with letters into the refresh interval field in Widget settings, results in "e1" showing up in the field. Also cannot type letters into the field.
Appears fixed.
- Status changed from Feedback to Resolved
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by Anonymous