[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12434418 ] David E. Jones commented on OFBIZ-260: --------------------------------------
Has anyone found an actual vulnerability related to this? It is somewhat natural with webapps that you can change the behavior by changing (directory or indirectly) the text that the browser interprets. The real question is whether or not it is possible to change server-side behavior to do something the user is not authorized to do. > Cross Site Scripting Vulnerability (XSS) > ---------------------------------------- > > Key: OFBIZ-260 > URL: http://issues.apache.org/jira/browse/OFBIZ-260 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Marco Risaliti > > *Very* simple test: > /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script> > Other components beside ecommerce are also affected. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
