Openbravo Issue Tracking System - Openbravo ERP | |||||
| View Issue Details | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0012038 | Openbravo ERP | C. Security | public | 2010-01-21 18:24 | 2022-02-01 08:08 |
| Reporter | efriese | ||||
| Assigned To | Triage Platform Base | ||||
| Priority | high | Severity | major | Reproducibility | always |
| Status | acknowledged | Resolution | open | ||
| Platform | OS | 20 | OS Version | Community Appliance | |
| Product Version | 2.50MP9 | ||||
| Target Version | Fixed in Version | ||||
| Merge Request Status | |||||
| Review Assigned To | |||||
| OBNetwork customer | No | ||||
| Web browser | |||||
| Modules | Core | ||||
| Support ticket | |||||
| Regression level | |||||
| Regression date | |||||
| Regression introduced in release | |||||
| Regression introduced by commit | |||||
| Triggers an Emergency Pack | No | ||||
| Summary | 0012038: Multiple Cross-site Scripting Vulnerabilities in DataGrid.html | ||||
| Description | The values for inpAccessLevel, offset, and page_size are not validated/escaped to prevent malicious code from being executed by the browser. | ||||
| Steps To Reproduce | The TamperData plugin for Firefox or another proxy will be needed to reproduce for offset and page_size. Visiting /openbravo/utility/DataGrid.html and setting inpAccessLevel to: inpAccessLevel=4>%22%27><img%20src%3d%22javascript:alert(65234)%22> To reproduce for offset and page_size, use the TamperData plugin to set the POST values to: offset=0>%22%27><img%20src%3d%22javascript:alert('XSS')%22> page_size=60>%22%27><img%20src%3d%22javascript:alert('XSS')%22> | ||||
| Proposed Solution | The values for inpAccessLevel, offset, and page_size should be escaped to prevent code from being executed in the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^] | ||||
| Additional Information | |||||
| Tags | No tags attached. | ||||
| Relationships | |||||
| Attached Files | |||||
| Issue History | |||||
| Date Modified | Username | Field | Change | ||
| 2010-01-21 18:24 | efriese | New Issue | |||
| 2010-01-21 18:24 | efriese | Assigned To | => alostale | ||
| 2010-01-25 08:15 | alostale | Status | new => scheduled | ||
| 2010-01-25 08:15 | alostale | Assigned To | alostale => shuehner | ||
| 2011-10-28 13:54 | dmitry_mezentsev | OBNetwork customer | => No | ||
| 2011-10-28 13:54 | dmitry_mezentsev | Type | defect => design defect | ||
| 2012-02-20 11:14 | shuehner | Assigned To | shuehner => alostale | ||
| 2012-09-24 23:39 | AugustoMauch | Note Added: 0052509 | |||
| 2012-09-24 23:39 | AugustoMauch | Priority | normal => high | ||
| 2017-03-31 14:36 | alostale | Status | scheduled => acknowledged | ||
| 2017-04-10 14:35 | alostale | Assigned To | alostale => platform | ||
| 2022-02-01 08:08 | alostale | Assigned To | platform => Triage Platform Base | ||
| Notes | |||||
|
|
|||||
|
|
||||