0012030: Cross-site Scripting in ActionButton_Responser.html

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0012030

Openbravo ERP

C. Security

public

2010-01-21 17:45

2022-02-01 08:08

Reporter

efriese

Assigned To

Triage Platform Base

Priority

high

Severity

major

Reproducibility

always

Status

acknowledged

Resolution

open

Platform

OS Version

Community Appliance

Product Version

2.50MP9

Target Version

Fixed in Version

Merge Request Status

Review Assigned To

OBNetwork customer

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0012030: Cross-site Scripting in ActionButton_Responser.html

Description

The input from inpadProcessId is not sufficiently validated/escaped to prevent malicious code from being executed in the browser.

Steps To Reproduce

While in session, visit /openbravo/ad_actionButton/ActionButton_Responser.html and use the following for inpadProcessId:

inpadProcessId=172>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.

Proposed Solution

The value of inpadProcessId should be escaped to make it safe for the browser. More information can be found at:

http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]

Additional Information