Project:
View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | ||||||||
0012035 | ||||||||
Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
defect | [Openbravo ERP] C. Security | major | always | 2010-01-21 18:08 | 2011-11-22 18:30 | |||
Reporter | efriese | View Status | public | |||||
Assigned To | shuehner | |||||||
Priority | normal | Resolution | duplicate | Fixed in Version | ||||
Status | closed | Fix in branch | Fixed in SCM revision | |||||
Projection | none | ETA | none | Target Version | ||||
OS | Linux 32 bit | Database | PostgreSQL | Java version | 1.6.0_16 | |||
OS Version | Community Appliance | Database version | 8.3.8 | Ant version | 1.7.1 | |||
Product Version | 2.50MP9 | SCM revision | ||||||
Review Assigned To | ||||||||
Web browser | ||||||||
Modules | Core | |||||||
Regression level | ||||||||
Regression date | ||||||||
Regression introduced in release | ||||||||
Regression introduced by commit | ||||||||
Triggers an Emergency Pack | No | |||||||
Summary | 0012035: Cross-site Scripting in Reference_Relation.html | |||||||
Description | The value of inpParamSessionDate is not validated/escaped to prevent malicious code from being executed in the browser. | |||||||
Steps To Reproduce | The TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit /openbravo/Reference/Reference_Relation.html and use TamperData to change the value of inpParamSessionDate to: inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22> An alert box will display XSS. | |||||||
Proposed Solution | The value of inpParamSessionDate should be escaped to prevent code from being executed by the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^] | |||||||
Tags | No tags attached. | |||||||
Attached Files | ||||||||
Relationships [ Relation Graph ] [ Dependency Graph ] | ||||||||
|
Notes | |
(0043093) shuehner (administrator) 2011-11-22 18:30 |
Consolidating issue based on same source file. Keeping all of them in issue 12034. |
Issue History | |||
Date Modified | Username | Field | Change |
2010-01-21 18:08 | efriese | New Issue | |
2010-01-21 18:08 | efriese | Assigned To | => alostale |
2010-01-25 08:15 | alostale | Status | new => scheduled |
2010-01-25 08:15 | alostale | Assigned To | alostale => shuehner |
2011-11-22 18:30 | shuehner | Relationship added | duplicate of 0012034 |
2011-11-22 18:30 | shuehner | Note Added: 0043093 | |
2011-11-22 18:30 | shuehner | Status | scheduled => closed |
2011-11-22 18:30 | shuehner | Resolution | open => duplicate |
Copyright © 2000 - 2009 MantisBT Group |