[ https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Brohl reassigned OFBIZ-10676: ------------------------------------- Assignee: Michael Brohl (was: Benjamin Jugl) > Self XSS > -------- > > Key: OFBIZ-10676 > URL: https://issues.apache.org/jira/browse/OFBIZ-10676 > Project: OFBiz > Issue Type: Bug > Components: scrum > Affects Versions: Trunk, 17.12.01, 16.11.05, 16.11.06 > Reporter: Dinesh Mohanty > Assignee: Michael Brohl > Priority: Major > Labels: security > Attachments: OFBIZ-10676_OfbizUtil.patch > > > An Self XSS Vulnerability is present for "Product Backlog Item" for adding a > Product Backlog details of the issue has been emailed to security team. > *Steps to Reproduce:* > 1. Login into Scrum Management Portal as *productowner* and click on your > desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* > 2. The above url in my case is > [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] > 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the > value to *<script>alert(1)</script>* and click on OK > 4. One can see that the XSS payload executed confirming the Self XSS > Note: Same has been confirmed by Security Team so publishing publicly through > Ofbiz Jira platform. -- This message was sent by Atlassian JIRA (v7.6.3#76005)