Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0014857 | Openbravo ERP | C. Security | public | 2010-10-12 01:15 | 2022-02-01 08:08 |
|
| Reporter | cmlh_id_au | |
| Assigned To | Triage Platform Base | |
| Priority | high | Severity | major | Reproducibility | always |
| Status | acknowledged | Resolution | open | |
| Platform | | OS | 20 | OS Version | Community Appliance |
| Product Version | | |
| Target Version | | Fixed in Version | | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0014857: Cross Site Scripting (XSS) - Reflected - ReportInvoiceCustomerFilterJR.html - "inpProjectkind" Parameter |
| Description | The value of the "inpProjectkind" Parameter is not validated and/or escaped during the HTTP GET Request of /openbravo/ad_reports/ReportInvoiceCustomerFilterJR.html and hence is vulnerable to Reflected Cross Site Scripting (XSS) |
| Steps To Reproduce | 1. Copy and paste the following URL into Firefox after authenticating to http://demo2.openbravo.com: [^]
http://demo2.openbravo.com/openbravo/ad_reports/ReportInvoiceCustomerFilterJR.html?Command=&inpProjectpublic=PR&inpCurrencyId=238&inpProjectkind=RO%3Cimg%20src%3da%20onerror%3dalert%28%27XSS%27%29%3E&inpSalesRepId=&inpDateFrom=555-555-0199@example.com&inpProjectphase=PR&inpDateTo=555-555-0199@example.com&inpcRegionId=114&inpcProjectId=&inpcProjectId_D=555-555-0199@example.com&inpcBPartnerId=&inpProjectstatus=OR [^]
2. A Javascript Alert Box will display "XSS" as per the attached screenshot.
|
| Proposed Solution | Validate and escape the value of the "inpProjectkind" Parameter on the server side i.e. prior to the Javascript being executed by the web browser.
|
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files |  Cross_Site_Scripting_(XSS)_-_Reflected_-_ReportInvoiceCustomerFilterJR.html_-_inpProjectkind_Parameter.jpg (83,829) 2010-10-12 01:15
https://issues.openbravo.com/file_download.php?file_id=3215&type=bug
|
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2010-10-12 01:15 | cmlh_id_au | New Issue | |
| 2010-10-12 01:15 | cmlh_id_au | Assigned To | => alostale |
| 2010-10-12 01:15 | cmlh_id_au | File Added: Cross_Site_Scripting_(XSS)_-_Reflected_-_ReportInvoiceCustomerFilterJR.html_-_inpProjectkind_Parameter.jpg | |
| 2010-10-12 01:16 | cmlh_id_au | Issue Monitored: cmlh_id_au | |
| 2010-10-12 01:20 | cmlh_id_au | Note Added: 0031770 | |
| 2010-10-12 01:21 | cmlh_id_au | Note Deleted: 0031770 | |
| 2010-10-25 08:56 | alostale | Assigned To | alostale => shuehner |
| 2010-10-25 08:56 | alostale | Status | new => scheduled |
| 2012-02-20 11:20 | shuehner | Assigned To | shuehner => alostale |
| 2012-02-22 15:52 | alostale | Relationship added | blocks 0019842 |
| 2012-02-22 15:54 | alostale | Type | defect => design defect |
| 2012-09-24 23:25 | AugustoMauch | Note Added: 0052467 | |
| 2012-09-24 23:25 | AugustoMauch | Priority | normal => high |
| 2017-03-31 14:36 | alostale | Status | scheduled => acknowledged |
| 2017-04-10 14:34 | alostale | Assigned To | alostale => platform |
| 2022-02-01 08:08 | alostale | Assigned To | platform => Triage Platform Base |