Описание
An administrator is able to execute commands as root via the alerts management dialog
An administrator is able to execute commands as root via the alerts management dialog
Связанные уязвимости
CVSS3: 9.1
nvd
больше 2 лет назад
An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value ' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters) * click add * click apply * create a test alert * The test alert will run the command “id | tee /tmp/ttttttddddssss” as root. * after the test alert inspect /tmp/ttttttddddssss it'll contain the ids of the root user.