Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0012033Openbravo ERPC. Securitypublic2010-01-21 17:592022-02-01 08:08
efriese 
Triage Platform Base 
highmajoralways
acknowledgedopen 
20Community Appliance
 
 
Core
No
0012033: Cross-site Scripting in BusinessPartner.html
The value of inpAD_Org_ID is not validated/escaped to prevent malicious code from being executed in the browser.
The TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit /openbravo/info/BusinessPartner.html while using TamperData to set inpAD_Org_ID to:

inpAD_Org_ID=>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
The value for inpAD_Org_ID should be escaped so that code will not be executed by the browser. More information can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
No tags attached.
blocks design defect 0019842 acknowledged Triage Platform Base Review Cross-site Scripting 
Issue History
2010-01-21 17:59efrieseNew Issue
2010-01-21 17:59efrieseAssigned To => alostale
2010-01-25 08:15alostaleStatusnew => scheduled
2010-01-25 08:15alostaleAssigned Toalostale => shuehner
2012-02-20 11:21shuehnerAssigned Toshuehner => alostale
2012-02-22 15:52alostaleRelationship addedblocks 0019842
2012-02-22 15:53alostaleTypedefect => design defect
2012-09-24 23:39AugustoMauchNote Added: 0052511
2012-09-24 23:39AugustoMauchPrioritynormal => high
2017-03-31 14:36alostaleStatusscheduled => acknowledged
2017-04-10 14:35alostaleAssigned Toalostale => platform
2022-02-01 08:08alostaleAssigned Toplatform => Triage Platform Base

Notes
(0052511)
AugustoMauch   
2012-09-24 23:39   
Effort: 1
Impact: low
Plan: short