CVE-2018-12973

Vulnerability

OpenTSDB version 2.3.0 is affected by a cross-site scripting (XSS) vulnerability in the /q endpoint. The json parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML or JavaScript code [1], [2].

Exploitation

An attacker can craft a malicious request to the /q URI containing a payload in the json parameter. No authentication is required if the query endpoint is publicly accessible, and no special privileges are needed. The injected script will be executed in the context of the victim's browser when the crafted response is rendered [1], [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who views the maliciously crafted page. This can lead to session hijacking, credential theft, or defacement of the OpenTSDB web interface [1], [2].

Mitigation

No official patch has been released as of the publication date. Users should restrict network access to the /q endpoint, apply input validation or a web application firewall (WAF) rule to block malicious payloads in the json parameter, or upgrade to a newer version if a fix becomes available [2], [3].