Benjamin Jugl commented on OFBIZ-10676:

The confirmational blinking of the newly added value was implemented using the 
.html(value) funktion of jQuery. This causes the html to be interpreted and the 
script to be performed. But the data is stored, converting it into html (eg.  
"<" becomes &lt;). Thus it will never be executed again.

I changed the call to .text. This prevents the html to be interpreted.

> Self XSS
> --------
>                 Key: OFBIZ-10676
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10676
>             Project: OFBiz
>          Issue Type: Bug
>          Components: scrum
>    Affects Versions: Trunk, 16.11.05
>            Reporter: Dinesh Mohanty
>            Assignee: Benjamin Jugl
>            Priority: Major
>              Labels: security
> An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
> Product Backlog details of the issue has been emailed to security team.
> *Steps to Reproduce:*
> 1. Login into Scrum Management Portal as *productowner* and click on your 
> desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*
> 2. The above url in my case is 
> [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]
> 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the 
> value to *<script>alert(1)</script>* and click on OK
> 4. One can see that the XSS payload executed confirming the Self XSS 
> Note: Same has been confirmed by Security Team so publishing publicly through 
> Ofbiz Jira platform.

This message was sent by Atlassian JIRA

Reply via email to