[jira] [Updated] (OFBIZ-10676) Self XSS

2018-11-27 Thread Dinesh Mohanty (JIRA) 


 [ 
https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dinesh Mohanty updated OFBIZ-10676:
---
Description: 
An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
Product Backlog details of the issue has been emailed to security team.

*Steps to Reproduce:*

1. Login into Scrum Management Portal as *productowner* and click on your 
desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*

2. The above url in my case is 
[https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]

3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the value 
to *alert(1)* and click on OK

4. One can see that the XSS payload executed confirming the Self XSS 

Note: Same has been confirmed by Security Team so publishing publicly through 
Ofbiz Jira platform.

  was:
An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
Product Backlog details of the issue has been emailed to security team.

*Steps to Reproduce:*

1. Login into Scrum Management Portal as admin and click on your desired 
product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*

2. The above url in my case is 
[https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]

3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the value 
to *alert(1)* and click on OK

4. One can see that the XSS payload executed confirming the Self XSS 

Note: Same has been confirmed by Security Team so publishing publicly through 
Ofbiz Jira platform.


> Self XSS
> 
>
> Key: OFBIZ-10676
> URL: https://issues.apache.org/jira/browse/OFBIZ-10676
> Project: OFBiz
>  Issue Type: Bug
>  Components: scrum
>Affects Versions: Trunk, 16.11.05
>Reporter: Dinesh Mohanty
>Assignee: Benjamin Jugl
>Priority: Major
>  Labels: security
>
> An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
> Product Backlog details of the issue has been emailed to security team.
> *Steps to Reproduce:*
> 1. Login into Scrum Management Portal as *productowner* and click on your 
> desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*
> 2. The above url in my case is 
> [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]
> 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the 
> value to *alert(1)* and click on OK
> 4. One can see that the XSS payload executed confirming the Self XSS 
> Note: Same has been confirmed by Security Team so publishing publicly through 
> Ofbiz Jira platform.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (OFBIZ-10676) Self XSS

2018-11-27 Thread Dinesh Mohanty (JIRA) 
Dinesh Mohanty created OFBIZ-10676:
--

 Summary: Self XSS
 Key: OFBIZ-10676
 URL: https://issues.apache.org/jira/browse/OFBIZ-10676
 Project: OFBiz
  Issue Type: Bug
  Components: scrum
Affects Versions: 16.11.05
Reporter: Dinesh Mohanty


An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
ProductBacklog details of the issue has been emailed to security team



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (OFBIZ-10676) Self XSS

2018-11-27 Thread Dinesh Mohanty (JIRA) 


 [ 
https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dinesh Mohanty updated OFBIZ-10676:
---
Description: 
An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
Product Backlog details of the issue has been emailed to security team.

*Steps to Reproduce:*

1. Login into Scrum Management Portal as admin and click on your desired 
product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*

2. The above url in my case is 
[https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]

3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the value 
to *alert(1)* and click on OK

4. One can see that the XSS payload executed confirming the Self XSS 

Note: Same has been confirmed by Security Team so publishing publicly through 
Ofbiz Jira platform.

  was:An Self XSS Vulnerability is present for "Product Backlog Item" for 
adding a ProductBacklog details of the issue has been emailed to security team


> Self XSS
> 
>
> Key: OFBIZ-10676
> URL: https://issues.apache.org/jira/browse/OFBIZ-10676
> Project: OFBiz
>  Issue Type: Bug
>  Components: scrum
>Affects Versions: 16.11.05
>Reporter: Dinesh Mohanty
>Priority: Major
>  Labels: security
>
> An Self XSS Vulnerability is present for "Product Backlog Item" for adding a 
> Product Backlog details of the issue has been emailed to security team.
> *Steps to Reproduce:*
> 1. Login into Scrum Management Portal as admin and click on your desired 
> product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"*
> 2. The above url in my case is 
> [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1]
> 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the 
> value to *alert(1)* and click on OK
> 4. One can see that the XSS payload executed confirming the Self XSS 
> Note: Same has been confirmed by Security Team so publishing publicly through 
> Ofbiz Jira platform.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)