Openbravo Issue Tracking System - Openbravo ERP |
View Issue Details |
|
ID | Project | Category | View Status | Date Submitted | Last Update |
0012030 | Openbravo ERP | C. Security | public | 2010-01-21 17:45 | 2022-02-01 08:08 |
|
Reporter | efriese | |
Assigned To | Triage Platform Base | |
Priority | high | Severity | major | Reproducibility | always |
Status | acknowledged | Resolution | open | |
Platform | | OS | 20 | OS Version | Community Appliance |
Product Version | 2.50MP9 | |
Target Version | | Fixed in Version | | |
Merge Request Status | |
Review Assigned To | |
OBNetwork customer | |
Web browser | |
Modules | Core |
Support ticket | |
Regression level | |
Regression date | |
Regression introduced in release | |
Regression introduced by commit | |
Triggers an Emergency Pack | No |
|
Summary | 0012030: Cross-site Scripting in ActionButton_Responser.html |
Description | The input from inpadProcessId is not sufficiently validated/escaped to prevent malicious code from being executed in the browser. |
Steps To Reproduce | While in session, visit /openbravo/ad_actionButton/ActionButton_Responser.html and use the following for inpadProcessId:
inpadProcessId=172>%22%27><img%20src%3d%22javascript:alert('XSS')%22>
An alert box will display XSS. |
Proposed Solution | The value of inpadProcessId should be escaped to make it safe for the browser. More information can be found at:
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^] |
Additional Information | |
Tags | No tags attached. |
Relationships | |
Attached Files | |
|
Issue History |
Date Modified | Username | Field | Change |
2010-01-21 17:45 | efriese | New Issue | |
2010-01-21 17:45 | efriese | Assigned To | => alostale |
2010-01-21 17:48 | psarobe | Assigned To | alostale => shuehner |
2010-01-21 17:48 | psarobe | Priority | normal => urgent |
2010-01-21 17:48 | psarobe | Severity | critical => major |
2010-01-21 17:48 | psarobe | Status | new => scheduled |
2012-02-20 11:21 | shuehner | Assigned To | shuehner => alostale |
2012-02-22 15:51 | alostale | Relationship added | blocks 0019842 |
2012-02-22 15:53 | alostale | Type | defect => design defect |
2012-09-24 23:40 | AugustoMauch | Note Added: 0052513 | |
2012-09-24 23:40 | AugustoMauch | Priority | urgent => high |
2017-03-31 14:36 | alostale | Status | scheduled => acknowledged |
2017-04-10 14:35 | alostale | Assigned To | alostale => platform |
2022-02-01 08:08 | alostale | Assigned To | platform => Triage Platform Base |