Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0012031
TypeCategorySeverityReproducibilityDate SubmittedLast Update
design defect[Openbravo ERP] C. Securitymajoralways2010-01-21 17:502022-02-01 08:08
ReporterefrieseView Statuspublic 
Assigned ToTriage Platform Base 
PriorityhighResolutionopenFixed in Version
StatusacknowledgedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSLinux 32 bitDatabasePostgreSQLJava version1.6.0_16
OS VersionCommunity ApplianceDatabase version8.3.8Ant version1.7.1
Product Version2.50MP9SCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0012031: Cross-site Scripting in WorkflowControl.html

DescriptionThe value of inpadWorkflowId is not validated/escaped to prevent malicious code from being executed in the browser.
Steps To ReproduceWhile in session, visit /openbravo/ad_workflow/WorkflowControl.html and set inpadWorkflowId to the following:

inpadWorkflowId=103>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
Proposed SolutionThe value of inpadWorkflowId should be escaped to prevent code from being executed in the browser. More information can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
blocks design defect 0019842 acknowledgedTriage Platform Base Review Cross-site Scripting 

-  Notes
(0052512)
AugustoMauch (administrator)
2012-09-24 23:40

Effort: 1
Impact: low
Plan: short

- Issue History
Date Modified Username Field Change
2010-01-21 17:50 efriese New Issue
2010-01-21 17:50 efriese Assigned To => alostale
2010-01-21 17:54 psarobe Assigned To alostale => shuehner
2010-01-21 17:54 psarobe Priority normal => urgent
2010-01-21 17:54 psarobe Severity critical => major
2010-01-21 17:54 psarobe Status new => scheduled
2012-02-20 11:21 shuehner Assigned To shuehner => alostale
2012-02-22 15:51 alostale Relationship added blocks 0019842
2012-02-22 15:53 alostale Type defect => design defect
2012-09-24 23:40 AugustoMauch Note Added: 0052512
2012-09-24 23:40 AugustoMauch Priority urgent => high
2017-03-31 14:36 alostale Status scheduled => acknowledged
2017-04-10 14:35 alostale Assigned To alostale => platform
2022-02-01 08:08 alostale Assigned To platform => Triage Platform Base


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker