Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-10676

UI bug in scrum component

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 16.11.05, Release Branch 17.12, Trunk
    • Fix Version/s: 16.11.06, 17.12.01, Upcoming Branch
    • Component/s: themes
    • Labels:
      None
    • Flags:
      Important

      Description

      An Self XSS bug is present for "Product Backlog Item" for adding a Product Backlog details of the issue has been emailed to security team.

      Steps to Reproduce:

      1. Login into Scrum Management Portal as productowner and click on your desired product in default instance it's "Demo Product 1 [DEMO-PRODUCT-1]"

      2. The above url in my case is https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1

      3. Now double click on any of the "PRODUCT BACKLOG ITEM" and change the value to <script>alert(1)</script> and click on OK

      4. One can see that the XSS payload executed confirming the Self XSS 

      Note: Same has been confirmed by Security Team so publishing publicly through Ofbiz Jira platform.

        Attachments

        1. OFBIZ-10676_OfbizUtil.patch
          0.8 kB
          Benjamin Jugl

          Activity

            People

            • Assignee:
              mbrohl Michael Brohl
              Reporter:
              dkmin Dinesh Mohanty
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: