Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0012032Openbravo ERPC. Securitypublic2010-01-21 17:552011-11-22 18:31
efriese 
shuehner 
normalmajoralways
closedduplicate 
20Community Appliance
2.50MP9 
 
Core
No
0012032: Cross-site Scripting in Form_Relation.html
The value for inpParamSessionDate is not validated/escaped to prevent malicious code from being executed in the browser.
The TamperData plugin for Firefox or another type of proxy will be needed to reproduce. Visit /openbravo/Form/Form_Relation.html and use TamperData to change the value of inpParamSessionDate to:

inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
The value of inpParamSessionDat should be escaped to prevent code from being executed in the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
No tags attached.
duplicate of design defect 0012034 acknowledged Triage Platform Base Cross-site Scripting in the generated xxx_Relation.html files 
Issue History
2010-01-21 17:55efrieseNew Issue
2010-01-21 17:55efrieseAssigned To => alostale
2010-01-25 08:15alostaleStatusnew => scheduled
2010-01-25 08:15alostaleAssigned Toalostale => shuehner
2011-11-22 18:31shuehnerRelationship addedduplicate of 0012034
2011-11-22 18:31shuehnerNote Added: 0043096
2011-11-22 18:31shuehnerStatusscheduled => closed
2011-11-22 18:31shuehnerResolutionopen => duplicate

Notes
(0043096)
shuehner   
2011-11-22 18:31   
Consolidating issue based on same source file. Keeping all of them in issue 12034.