[
https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl closed OFBIZ-10676.
---------------------------------
Thank you [~dkmin] for reporting.
> UI bug in scrum component
> -------------------------
>
> Key: OFBIZ-10676
> URL: https://issues.apache.org/jira/browse/OFBIZ-10676
> Project: OFBiz
> Issue Type: Bug
> Components: scrum
> Affects Versions: Trunk, 16.11.05, Release Branch 17.12
> Reporter: Dinesh Mohanty
> Assignee: Michael Brohl
> Priority: Major
> Labels: security
> Fix For: 17.12.01, 16.11.06, Upcoming Branch
>
> Attachments: OFBIZ-10676_OfbizUtil.patch
>
>
> An Self XSS bug is present for "Product Backlog Item" for adding a Product
> Backlog details of the issue has been emailed to security team.
> *Steps to Reproduce:*
> 1. Login into Scrum Management Portal as *productowner* and click on your
> desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*
> 2. The above url in my case is
> [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]
> 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the
> value to *<script>alert(1)</script>* and click on OK
> 4. One can see that the XSS payload executed confirming the Self XSS
> Note: Same has been confirmed by Security Team so publishing publicly through
> Ofbiz Jira platform.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
