Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-10054

Product content management screen doesn't validate trusted users' input

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Release Branch 16.11, Trunk
    • 16.11.06, 17.12.01, 18.12.01
    • product
    • None

    Description

      Steps to recreate:

      1) go to (authenticate with admin/ofbiz):
      https://localhost:8443/catalog/control/EditProductContent?productId=WG-1111

      2) set the content of the field labeled "Large Image" to:
      non_existent.foo" onerror="alert('Hi!');

      3) visit the url:
      https://localhost:8443/ecommerce/control/product?product_id=WG-1111

      A popup message will appear with the "Hi!".

      Thanks to Loris Nardo for the report.

      Attachments

        Issue Links

          is a child of

          Improvement - An improvement or enhancement to an existing feature or task. OFBIZ-1525 Issue to group security concerns

          • Critical - Crashes, loss of data, severe memory leak.
          • Open
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OFBIZ-5254 Services allow arbitrary HTML for parameters with allow-html set to "safe"

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              jleroux Jacques Le Roux
              jacopoc Jacopo Cappellato
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: