Benjamin Jugl reassigned OFBIZ-10676:

    Assignee: Benjamin Jugl

> Self XSS
> --------
>                 Key: OFBIZ-10676
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10676
>             Project: OFBiz
>          Issue Type: Bug
>          Components: scrum
>    Affects Versions: Trunk, 16.11.05
>            Reporter: Dinesh Mohanty
>            Assignee: Benjamin Jugl
>            Priority: Major
>              Labels: security
> An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
> Product Backlog details of the issue has been emailed to security team.
> *Steps to Reproduce:*
> 1. Login into Scrum Management Portal as admin and click on your desired 
> product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*
> 2. The above url in my case is 
> [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]
> 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the 
> value to *<script>alert(1)</script>* and click on OK
> 4. One can see that the XSS payload executed confirming the Self XSS 
> Note: Same has been confirmed by Security Team so publishing publicly through 
> Ofbiz Jira platform.

This message was sent by Atlassian JIRA

Reply via email to