Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0012037 | Openbravo ERP | C. Security | public | 2010-01-21 18:16 | 2011-11-22 18:31 |
|
| Reporter | efriese | |
| Assigned To | shuehner | |
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | duplicate | |
| Platform | | OS | 20 | OS Version | Community Appliance |
| Product Version | 2.50MP9 | |
| Target Version | | Fixed in Version | | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0012037: Cross-site Scripting in User_Relation.html |
| Description | The value of inpParamSessionDate is not validated/escaped to prevent malicious data from being executed by the browser. |
| Steps To Reproduce | The TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit /openbravo/User/User_Relation.html while using TamperData to set the value of inpParamSessionDate to:
inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22>
An alert box will display XSS. |
| Proposed Solution | The value of inpParamSessionDate should be escaped to prevent code from being executed in the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^] |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | duplicate of | design defect | 0012034 | | acknowledged | Triage Platform Base | Cross-site Scripting in the generated xxx_Relation.html files |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2010-01-21 18:16 | efriese | New Issue | |
| 2010-01-21 18:16 | efriese | Assigned To | => alostale |
| 2010-01-25 08:15 | alostale | Status | new => scheduled |
| 2010-01-25 08:15 | alostale | Assigned To | alostale => shuehner |
| 2011-11-22 18:31 | shuehner | Relationship added | duplicate of 0012034 |
| 2011-11-22 18:31 | shuehner | Note Added: 0043095 | |
| 2011-11-22 18:31 | shuehner | Status | scheduled => closed |
| 2011-11-22 18:31 | shuehner | Resolution | open => duplicate |