Xymon Mailing List Archive search

Xymon and XSS vulnerability

2 messages in this thread

list Gatis Anerauds · Wed, 15 Jul 2020 15:45:33 +0300 · 
Hi,

Looking for help.
Does anyone know something about this rather old XSS vulnerability?
https://infosec.rm-it.de/2012/04/08/xss-in-xymon/
It is kind of still there in the 4.3.30 version.
Any ideas how can it be solved?

Regards
Gatis
list Jeremy Laidman · Thu, 30 Jul 2020 14:33:45 +1000 · 
The report suggests that some variables are sanitised, but the two that
were exploitable were not. It would probably be possibly to simply apply
the sanitisation code to these two variables, and it would remove the XSS
vulnerability. I haven't reviewed the code, though.

I'm actually trying to understand how this could be exploited. Can you
explain?
quoted from Gatis Anerauds

On Wed, 15 Jul 2020 at 22:46, Gatis Anerauds <user-e47f4dceddb4@xymon.invalid> wrote:

Hi,

Looking for help.
Does anyone know something about this rather old XSS vulnerability?
https://infosec.rm-it.de/2012/04/08/xss-in-xymon/
It is kind of still there in the 4.3.30 version.
Any ideas how can it be solved?

Regards
Gatis