Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-10676

UI bug in scrum component

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 16.11.05, Release Branch 17.12, Trunk
    • 16.11.06, 17.12.01
    • themes
    • None
    • Important

    Description

      An Self XSS bug is present for "Product Backlog Item" for adding a Product Backlog details of the issue has been emailed to security team.

      Steps to Reproduce:

      1. Login into Scrum Management Portal as productowner and click on your desired product in default instance it's "Demo Product 1 [DEMO-PRODUCT-1]"

      2. The above url in my case is https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1

      3. Now double click on any of the "PRODUCT BACKLOG ITEM" and change the value to <script>alert(1)</script> and click on OK

      4. One can see that the XSS payload executed confirming the Self XSSĀ 

      Note: Same has been confirmed by Security Team so publishing publicly through Ofbiz Jira platform.

      Attachments

        1. OFBIZ-10676_OfbizUtil.patch
          0.8 kB
          Benjamin Jugl

        Activity

          People

            mbrohl Michael Brohl
            dkmin Dinesh Mohanty
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: