You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Xin Wang (Jira)" <ji...@apache.org> on 2021/06/08 15:45:00 UTC

[jira] [Created] (OFBIZ-12254) XSS vulnerability for ListWorkEfforts form

Xin Wang created OFBIZ-12254:
--------------------------------

             Summary: XSS vulnerability for ListWorkEfforts form
                 Key: OFBIZ-12254
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12254
             Project: OFBiz
          Issue Type: Bug
    Affects Versions: Trunk
            Reporter: Xin Wang


If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping.

Steps to reproduce:

1. Turn off `sanitizer.enable` in owasp.properties
2. Create a WorkEffort entity with name as `<script>alert(1)</script>`
3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort
4. Search for "Work Effort Name" which contains "script"



--
This message was sent by Atlassian Jira
(v8.3.4#803005)