[OBS-4584] HTML injection vulnerability - Observium

Details

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: None
Affects Version/s: CE-22.5
Component/s: Discovery
Labels:
- security

Description

Observium is vulnerable to HTML injection via LLDP neighbour discovery. This happens if a port sees a neighbour with a system name of <script>alert('injection!')</script>.

In the "neighbours view" of that port, a yellow triangle will be shown to indicate that autodiscovery is not working properly. Hovering over that triangle will trigger the injected payload.

Keep up the good work! Cheers!

Attachments

Activity

[OBS-4584] HTML injection vulnerability

Mike Stupalov made changes - 2023/08/17 02:45 PM

Resolution		New: Fixed [ 1 ]
Status	Original: In Progress [ 3 ]	New: Resolved [ 5 ]

Mike Stupalov made changes - 2023/08/17 01:00 PM

Status

Original: Pending Response [ 10000 ]

New: In Progress [ 3 ]

Observium Bot made changes - 2023/08/16 08:32 PM

Status

Original: Open [ 1 ]

New: Pending Response [ 10000 ]

zluudg created issue - 2023/08/16 08:32 PM

People

Assignee:: Mike Stupalov

Reporter:: zluudg

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023/08/16 08:32 PM

Updated:: 2023/08/22 09:56 PM

Resolved:: 2023/08/17 02:45 PM