Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-12584

Stored XSS in webappPath parameter from content/control/EditWebSite

    XMLWordPrintableJSON

Details

    • Bug Crush Event - 21/2/2015

    Description

      A user with rights to modify and/or create websites may insert malicious HTML elements in
      the “webappPath” parameter from content/control/EditWebSite resulting in XSS.

      In order to trigger the XSS a victim needs to navigate to main page of the modified website (eg webpos or ecommerce) and interact with the malicious HTML elements (eg trigger the “onmouseover” event by navigating with the mouse over the “form” and/or “a” tags).

      Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily

      Attachments

        Activity

          People

            jleroux Jacques Le Roux
            jleroux Jacques Le Roux
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: