Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0012037Openbravo ERPC. Securitypublic2010-01-21 18:162011-11-22 18:31
efriese 
shuehner 
normalmajoralways
closedduplicate 
20Community Appliance
2.50MP9 
 
Core
No
0012037: Cross-site Scripting in User_Relation.html
The value of inpParamSessionDate is not validated/escaped to prevent malicious data from being executed by the browser.
The TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit /openbravo/User/User_Relation.html while using TamperData to set the value of inpParamSessionDate to:

inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
The value of inpParamSessionDate should be escaped to prevent code from being executed in the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
No tags attached.
duplicate of design defect 0012034 acknowledged Triage Platform Base Cross-site Scripting in the generated xxx_Relation.html files 
Issue History
2010-01-21 18:16efrieseNew Issue
2010-01-21 18:16efrieseAssigned To => alostale
2010-01-25 08:15alostaleStatusnew => scheduled
2010-01-25 08:15alostaleAssigned Toalostale => shuehner
2011-11-22 18:31shuehnerRelationship addedduplicate of 0012034
2011-11-22 18:31shuehnerNote Added: 0043095
2011-11-22 18:31shuehnerStatusscheduled => closed
2011-11-22 18:31shuehnerResolutionopen => duplicate

Notes
(0043095)
shuehner   
2011-11-22 18:31   
Consolidating issue based on same source file. Keeping all of them in issue 12034.