| Summary: | XSS issue in user creation page | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Portal Platform 5 | Reporter: | Viliam Rockai <vrockai> |
| Component: | unspecified | Assignee: | hfnukal <hfnukal> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.1.0.ER03 | CC: | smumford, theute |
| Target Milestone: | --- | ||
| Target Release: | 5.1.1.DEV01 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://jira.jboss.org/jira/browse/JBEPP-598 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-19 14:55:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Link: Added: This issue is related to GTNPORTAL-1616 Tentatively set for 5.1.0 CR01 Release Notes Docs Status: Removed: Not Required Added: Documented as Known Issue Release Notes Docs Status: Removed: Documented as Known Issue Added: Not Yet Documented Release Notes Text: Added: Javascript is not executed in list, if entered to fields Link: Added: This issue relates to JBEPP-914 Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue Release Notes Text: Removed: Javascript is not executed in list, if entered to fields Added: Security vulnerabilies arising from the execution of XSS javascript entered into various portal form fields have been eradicated in this release. The resolution to this issue also resolves the following related JIRA issues: https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997 Marked as 'Release Note Not Required" to prevent this JIRA being extracted in dynamic Release Note biulds. The above Release Note text has been included in a static section of the document. Release Notes Docs Status: Removed: Documented as Resolved Issue Added: Not Required Release Notes Text: Removed: Security vulnerabilies arising from the execution of XSS javascript entered into various portal form fields have been eradicated in this release. The resolution to this issue also resolves the following related JIRA issues: https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997 Added: This release of JBoss Enterprise Portal Platform resolves a number of Cross Site Scripting found in the user creation and new page creation forms. The following issues have been resolved: https://issues.jboss.org/browse/JBEPP-365 https://issues.jboss.org/browse/JBEPP-598 https://issues.jboss.org/browse/JBEPP-595 https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997 https://issues.jboss.org/browse/JBEPP-914 Work to address further XSS issues is ongoing. Release Notes Text: Removed: This release of JBoss Enterprise Portal Platform resolves a number of Cross Site Scripting found in the user creation and new page creation forms.
The following issues have been resolved:
https://issues.jboss.org/browse/JBEPP-365
https://issues.jboss.org/browse/JBEPP-598
https://issues.jboss.org/browse/JBEPP-595
https://issues.jboss.org/browse/JBEPP-847
https://issues.jboss.org/browse/JBEPP-997
https://issues.jboss.org/browse/JBEPP-914
Work to address further XSS issues is ongoing. Added: This release of JBoss Enterprise Portal Platform resolves a number of Cross Site Scripting issues found in the user creation and new page creation forms.
The following issues have been resolved:
https://issues.jboss.org/browse/JBEPP-365
https://issues.jboss.org/browse/JBEPP-598
https://issues.jboss.org/browse/JBEPP-595
https://issues.jboss.org/browse/JBEPP-847
https://issues.jboss.org/browse/JBEPP-997
https://issues.jboss.org/browse/JBEPP-914
Work to address further XSS issues is ongoing.
Security: Removed: RHT+eXo Added: Public |
project_key: JBEPP when creating new user (even through register form without logging in!), you can put XSS string "<script>alert('hi');</script>" as his first/last name. while browsing (Searching) users, the script is invoked. the string can be put into all user attributes (street, town and so on) and this may cause some troubles in the future if there will be some sort of user browser showing those fields...