[OJSI-15] XSS vulnerabilities in ONAP Portal (CVE-2019-12317) - ONAP JIRA

Clone

Clone+

Clone++

XML

Word

Printable

Type: Task
Status: Public disclosure
Priority: High
Resolution: Done
Affects Version/s: Casablanca Maintenance Release, Dublin Release, Casablanca
Fix Version/s: El Alto Release
Labels:

OJSI CVE:
CVE-2019-12317
OJSI Impact Description:

Hide

Title: Number of XSS vulnerabilities in Portal

Reporter: Jakub Botwicz from Samsung

Products: Portal

Affects: Dublin and earlier

Description:

Jakub Botwicz from Samsung reported a number of vulnerabilities in ONAP Portal. By providing a crafted user input, an attacker is able to execute a script with the rights of other user. All ONAP setups are affected.

Show
Title: Number of XSS vulnerabilities in Portal Reporter: Jakub Botwicz from Samsung Products: Portal Affects: Dublin and earlier Description: Jakub Botwicz from Samsung reported a number of vulnerabilities in ONAP Portal. By providing a crafted user input, an attacker is able to execute a script with the rights of other user. All ONAP setups are affected.
OJSI Grant Project Access:
OJSI-PORTAL
Epic Link:
Number of XSS vulnerabilities in ONAP

ONAP Portal don't validate user input and allows for XSS vulnerability
in multiple places (URLs)

1.	Persistent XSS vulnerability in saveNewUser form	Public disclosure	Dominik Mizyn
2.	Persistent XSS vulnerability in saveNotification form	Public disclosure	Dominik Mizyn
3.	Persistent XSS vulnerability in onboardingApps form	Public disclosure	Dominik Mizyn
4.	Persistent XSS vulnerability in microservices form	Public disclosure	Dominik Mizyn
5.	Persistent XSS vulnerability in basicAuthAccount form	Public disclosure	Dominik Mizyn
6.	Persistent XSS vulnerability in functionalMenuItem form	Public disclosure	Dominik Mizyn
7.	Reflected XSS vulnerability in saveNotification form	Public disclosure	Dominik Mizyn
8.	XSS Vulnerability fix in AppsOSController	Public disclosure	Dominik Mizyn
9.	XSS Vulnerability fix in RoleManageController	Public disclosure	Dominik Mizyn
10.	XSS Vulnerability fix in TicketEventController	Public disclosure	Dominik Mizyn

No reviews matched the request. Check your Options in the drop-down menu of this sections header.