You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Xin Wang (Jira)" <ji...@apache.org> on 2021/06/08 15:45:00 UTC
[jira] [Created] (OFBIZ-12254) XSS vulnerability for
ListWorkEfforts form
Xin Wang created OFBIZ-12254:
--------------------------------
Summary: XSS vulnerability for ListWorkEfforts form
Key: OFBIZ-12254
URL: https://issues.apache.org/jira/browse/OFBIZ-12254
Project: OFBiz
Issue Type: Bug
Affects Versions: Trunk
Reporter: Xin Wang
If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping.
Steps to reproduce:
1. Turn off `sanitizer.enable` in owasp.properties
2. Create a WorkEffort entity with name as `<script>alert(1)</script>`
3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort
4. Search for "Work Effort Name" which contains "script"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)