Two XSS issue found in 3.6.1

[1iK3]

When I visited the installed web page , I found this version has 2 Reflect Cross-site scripting (XSS) in the page. I found the apt-get installed the version 3.6.1 of ganglia-webfrontend default, maybe there are many ganglia users used apt-get to installed this ganglia-webfrontend version.

header.php 411 $custom_time = "or <span class=\"nobr\">from <input type=\"TEXT\" title=\"$examples\" NAME=\"cs\" ID=\"datepicker-cs\" SIZE=\"17\""; 412 if ($cs) 413 $custom_time .= " value=\"$cs\""; 414 $custom_time .= "> to <input type=\"TEXT\" title=\"$examples\" name=\"ce\" ID=\"datepicker-ce\" SIZE=\"17\""; 415 if ($ce) 416 $custom_time .= " value=\"$ce\""; 417 $custom_time .= "> <input type=\"submit\" value=\"Go\">\n";

There some xss protect in the systen but can be by pass. attacter can use “onfocus” and “autofocus” to bypass. url1: /ganglia/?r=hour&cs=&ce=hou7z%22%20onfocus%3ddocument.location%3d1%20autofocus%3d%20oqqfa&c=unspecified&h=&tab=m&vn=&hide-hf=false url2: /ganglia/?r=hour&cs=quxfd%22%20onfocus%3ddocument.location%3d1%20autofocus%3d%20wp7f3&ce=&c=unspecified&h=&tab=m&vn=&hide-hf=false

Please confirm is it a serurity vulnerability .

[carnil]

Two CVEs were aparently assigned: CVE-2019-20378 and CVE-2019-20379.

[NicoleG25]

@vvuksan is there any plan to address these vulnerabilities? :) Cheers !

[solbu]

Could this have been fixed with this commit? -> ab909037aa30bc200d467eecb1c189565604ba6a The commit message indicate that an XSS error was fixed.

[vvuksan]

I have not been able to reproduce it from the main branch.