Scott Gray commented on OFBIZ-10676:

Just to clarify for anyone reading this and being concerned, this isn't a 
security vulnerability and presents no risk of attack to users.

After being sent to the server via AJAX to update the record, the data is 
inserted directly into the page without being html encoded, and this triggers 
the script.  However, only the logged in user that inserted the script is 
affected (immediately after submission), subsequent page loads by this user or 
any other user renders the script unexecutable because it is correctly encoded 
as html in both view and edit mode when being rendered server-side.

So it's simply a UI bug rather than a vulnerability.

Thanks for the report Dinesh

> Self XSS
> --------
>                 Key: OFBIZ-10676
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10676
>             Project: OFBiz
>          Issue Type: Bug
>          Components: scrum
>    Affects Versions: Trunk, 16.11.05
>            Reporter: Dinesh Mohanty
>            Assignee: Benjamin Jugl
>            Priority: Major
>              Labels: security
> An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
> Product Backlog details of the issue has been emailed to security team.
> *Steps to Reproduce:*
> 1. Login into Scrum Management Portal as *productowner* and click on your 
> desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*
> 2. The above url in my case is 
> [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]
> 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the 
> value to *<script>alert(1)</script>* and click on OK
> 4. One can see that the XSS payload executed confirming the Self XSS 
> Note: Same has been confirmed by Security Team so publishing publicly through 
> Ofbiz Jira platform.

This message was sent by Atlassian JIRA

Reply via email to