Support Migration Notice: To update migrated JIRA cases click here to open a new case use www.vmware.com/go/sr | vFabric Hyperic 5.7.0 is Now Available

Hyperic HQ

Stored XSS in Alerts List

Details

  • Type: Security Review Security Review
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 4.1.2
  • Fix Version/s: 4.2.0
  • Component/s: Deprecated: UI
  • Case Links:
    none
  • Regression:
    No

Description

This is being added to 4.2.0 for estimation and evaluation for inclusion based on third-party discovery, and plans to publish the vulnerability.

ADDITIONAL DETAILS:

A stored cross-site scripting vulnerability was found in the Alerts list of Hyperic HQ. An authenticated Hyperic user can create an alert with JavaScript code in the Description field. When a user visits the Alerts list, the Description field of every alert is displayed without properly escaping especial HTML characters, thus leading to a persistent XSS.

As a proof of concept, create a new alert and insert the following JavaScript code in the Description field:

<script>alert(document.cookie)</script>

Then, when a Hyperic user visits the Alerts list, the JavaScript code embedded into the Description of the malicious alert will be executed:

http://<hyperic-server>:7080/alerts/Config.do?mode=list&rid=10001&type=3

Activity

Hide
Todd Rader added a comment -

Don't we just need escapeXml=true in this:

<display:column width="20%" property="description"
title="common.header.Description" />

(snippet from ListDefinitions.jsp)

Show
Todd Rader added a comment - Don't we just need escapeXml=true in this: <display:column width="20%" property="description" title="common.header.Description" /> (snippet from ListDefinitions.jsp)
Hide
David Crutchfield added a comment -

Fixed in r13715

Escaped any string value set via the property attribute

Show
David Crutchfield added a comment - Fixed in r13715 Escaped any string value set via the property attribute
Hide
Kashyap Parikh added a comment -

Verified in 4.1.2.1, 4.1.4.1, 4.0.3.1 and 3.2.6.1

Show
Kashyap Parikh added a comment - Verified in 4.1.2.1, 4.1.4.1, 4.0.3.1 and 3.2.6.1

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
    Last comment:
    4 years, 28 weeks, 5 days ago