Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: Trunk, 16.11.05, Release Branch 17.12
-
Fix Version/s: 17.12.01, 16.11.06, Upcoming Branch
-
Component/s: themes
-
Labels:None
-
Flags:Important
Description
An Self XSS bug is present for "Product Backlog Item" for adding a Product Backlog details of the issue has been emailed to security team.
Steps to Reproduce:
1. Login into Scrum Management Portal as productowner and click on your desired product in default instance it's "Demo Product 1 [DEMO-PRODUCT-1]"
2. The above url in my case is https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1
3. Now double click on any of the "PRODUCT BACKLOG ITEM" and change the value to <script>alert(1)</script> and click on OK
4. One can see that the XSS payload executed confirming the Self XSS
Note: Same has been confirmed by Security Team so publishing publicly through Ofbiz Jira platform.