Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0012030
TypeCategorySeverityReproducibilityDate SubmittedLast Update
design defect[Openbravo ERP] C. Securitymajoralways2010-01-21 17:452022-02-01 08:08
ReporterefrieseView Statuspublic 
Assigned ToTriage Platform Base 
PriorityhighResolutionopenFixed in Version
StatusacknowledgedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSLinux 32 bitDatabasePostgreSQLJava version1.6.0_16
OS VersionCommunity ApplianceDatabase version8.3.8Ant version1.7.1
Product Version2.50MP9SCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0012030: Cross-site Scripting in ActionButton_Responser.html

DescriptionThe input from inpadProcessId is not sufficiently validated/escaped to prevent malicious code from being executed in the browser.
Steps To ReproduceWhile in session, visit /openbravo/ad_actionButton/ActionButton_Responser.html and use the following for inpadProcessId:

inpadProcessId=172>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
Proposed SolutionThe value of inpadProcessId should be escaped to make it safe for the browser. More information can be found at:

http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
blocks design defect 0019842 acknowledgedTriage Platform Base Review Cross-site Scripting 

-  Notes
(0052513)
AugustoMauch (administrator)
2012-09-24 23:40

Effort: 1
Impact: low
Plan: short

- Issue History
Date Modified Username Field Change
2010-01-21 17:45 efriese New Issue
2010-01-21 17:45 efriese Assigned To => alostale
2010-01-21 17:48 psarobe Assigned To alostale => shuehner
2010-01-21 17:48 psarobe Priority normal => urgent
2010-01-21 17:48 psarobe Severity critical => major
2010-01-21 17:48 psarobe Status new => scheduled
2012-02-20 11:21 shuehner Assigned To shuehner => alostale
2012-02-22 15:51 alostale Relationship added blocks 0019842
2012-02-22 15:53 alostale Type defect => design defect
2012-09-24 23:40 AugustoMauch Note Added: 0052513
2012-09-24 23:40 AugustoMauch Priority urgent => high
2017-03-31 14:36 alostale Status scheduled => acknowledged
2017-04-10 14:35 alostale Assigned To alostale => platform
2022-02-01 08:08 alostale Assigned To platform => Triage Platform Base


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker