Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0012031Openbravo ERPC. Securitypublic2010-01-21 17:502022-02-01 08:08
efriese 
Triage Platform Base 
highmajoralways
acknowledgedopen 
20Community Appliance
2.50MP9 
 
Core
No
0012031: Cross-site Scripting in WorkflowControl.html
The value of inpadWorkflowId is not validated/escaped to prevent malicious code from being executed in the browser.
While in session, visit /openbravo/ad_workflow/WorkflowControl.html and set inpadWorkflowId to the following:

inpadWorkflowId=103>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
The value of inpadWorkflowId should be escaped to prevent code from being executed in the browser. More information can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
No tags attached.
blocks design defect 0019842 acknowledged Triage Platform Base Review Cross-site Scripting 
Issue History
2010-01-21 17:50efrieseNew Issue
2010-01-21 17:50efrieseAssigned To => alostale
2010-01-21 17:54psarobeAssigned Toalostale => shuehner
2010-01-21 17:54psarobePrioritynormal => urgent
2010-01-21 17:54psarobeSeveritycritical => major
2010-01-21 17:54psarobeStatusnew => scheduled
2012-02-20 11:21shuehnerAssigned Toshuehner => alostale
2012-02-22 15:51alostaleRelationship addedblocks 0019842
2012-02-22 15:53alostaleTypedefect => design defect
2012-09-24 23:40AugustoMauchNote Added: 0052512
2012-09-24 23:40AugustoMauchPriorityurgent => high
2017-03-31 14:36alostaleStatusscheduled => acknowledged
2017-04-10 14:35alostaleAssigned Toalostale => platform
2022-02-01 08:08alostaleAssigned Toplatform => Triage Platform Base

Notes
(0052512)
AugustoMauch   
2012-09-24 23:40   
Effort: 1
Impact: low
Plan: short