Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0012030Openbravo ERPC. Securitypublic2010-01-21 17:452022-02-01 08:08
efriese 
Triage Platform Base 
highmajoralways
acknowledgedopen 
20Community Appliance
2.50MP9 
 
Core
No
0012030: Cross-site Scripting in ActionButton_Responser.html
The input from inpadProcessId is not sufficiently validated/escaped to prevent malicious code from being executed in the browser.
While in session, visit /openbravo/ad_actionButton/ActionButton_Responser.html and use the following for inpadProcessId:

inpadProcessId=172>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
The value of inpadProcessId should be escaped to make it safe for the browser. More information can be found at:

http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
No tags attached.
blocks design defect 0019842 acknowledged Triage Platform Base Review Cross-site Scripting 
Issue History
2010-01-21 17:45efrieseNew Issue
2010-01-21 17:45efrieseAssigned To => alostale
2010-01-21 17:48psarobeAssigned Toalostale => shuehner
2010-01-21 17:48psarobePrioritynormal => urgent
2010-01-21 17:48psarobeSeveritycritical => major
2010-01-21 17:48psarobeStatusnew => scheduled
2012-02-20 11:21shuehnerAssigned Toshuehner => alostale
2012-02-22 15:51alostaleRelationship addedblocks 0019842
2012-02-22 15:53alostaleTypedefect => design defect
2012-09-24 23:40AugustoMauchNote Added: 0052513
2012-09-24 23:40AugustoMauchPriorityurgent => high
2017-03-31 14:36alostaleStatusscheduled => acknowledged
2017-04-10 14:35alostaleAssigned Toalostale => platform
2022-02-01 08:08alostaleAssigned Toplatform => Triage Platform Base

Notes
(0052513)
AugustoMauch   
2012-09-24 23:40   
Effort: 1
Impact: low
Plan: short