[OFBIZ-10676] UI bug in scrum component - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 16.11.05, Release Branch 17.12, Trunk
Fix Version/s: 16.11.06, 17.12.01
Component/s: themes
Labels:
None

Flags:

Important

Description

An Self XSS bug is present for "Product Backlog Item" for adding a Product Backlog details of the issue has been emailed to security team.

Steps to Reproduce:

1. Login into Scrum Management Portal as productowner and click on your desired product in default instance it's "Demo Product 1 [DEMO-PRODUCT-1]"

2. The above url in my case is https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1

3. Now double click on any of the "PRODUCT BACKLOG ITEM" and change the value to <script>alert(1)</script> and click on OK

4. One can see that the XSS payload executed confirming the Self XSS

Note: Same has been confirmed by Security Team so publishing publicly through Ofbiz Jira platform.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OFBIZ-10676_OfbizUtil.patch
28/Nov/18 11:40
0.8 kB
Benjamin Jugl

Activity

People

Assignee:: Michael Brohl

Reporter:: Dinesh Mohanty

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 27/Nov/18 08:32

Updated:: 11/Jan/22 09:36

Resolved:: 08/Dec/18 09:09