Hide Forgot
project_key: JBEPP when creating new user (even through register form without logging in!), you can put XSS string "<script>alert('hi');</script>" as his first/last name. while browsing (Searching) users, the script is invoked. the string can be put into all user attributes (street, town and so on) and this may cause some troubles in the future if there will be some sort of user browser showing those fields...
Link: Added: This issue is related to GTNPORTAL-1616
Tentatively set for 5.1.0 CR01
Release Notes Docs Status: Removed: Not Required Added: Documented as Known Issue
Release Notes Docs Status: Removed: Documented as Known Issue Added: Not Yet Documented Release Notes Text: Added: Javascript is not executed in list, if entered to fields
Link: Added: This issue relates to JBEPP-914
Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue Release Notes Text: Removed: Javascript is not executed in list, if entered to fields Added: Security vulnerabilies arising from the execution of XSS javascript entered into various portal form fields have been eradicated in this release. The resolution to this issue also resolves the following related JIRA issues: https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997
Marked as 'Release Note Not Required" to prevent this JIRA being extracted in dynamic Release Note biulds. The above Release Note text has been included in a static section of the document.
Release Notes Docs Status: Removed: Documented as Resolved Issue Added: Not Required Release Notes Text: Removed: Security vulnerabilies arising from the execution of XSS javascript entered into various portal form fields have been eradicated in this release. The resolution to this issue also resolves the following related JIRA issues: https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997 Added: This release of JBoss Enterprise Portal Platform resolves a number of Cross Site Scripting found in the user creation and new page creation forms. The following issues have been resolved: https://issues.jboss.org/browse/JBEPP-365 https://issues.jboss.org/browse/JBEPP-598 https://issues.jboss.org/browse/JBEPP-595 https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997 https://issues.jboss.org/browse/JBEPP-914 Work to address further XSS issues is ongoing.
Release Notes Text: Removed: This release of JBoss Enterprise Portal Platform resolves a number of Cross Site Scripting found in the user creation and new page creation forms. The following issues have been resolved: https://issues.jboss.org/browse/JBEPP-365 https://issues.jboss.org/browse/JBEPP-598 https://issues.jboss.org/browse/JBEPP-595 https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997 https://issues.jboss.org/browse/JBEPP-914 Work to address further XSS issues is ongoing. Added: This release of JBoss Enterprise Portal Platform resolves a number of Cross Site Scripting issues found in the user creation and new page creation forms. The following issues have been resolved: https://issues.jboss.org/browse/JBEPP-365 https://issues.jboss.org/browse/JBEPP-598 https://issues.jboss.org/browse/JBEPP-595 https://issues.jboss.org/browse/JBEPP-847 https://issues.jboss.org/browse/JBEPP-997 https://issues.jboss.org/browse/JBEPP-914 Work to address further XSS issues is ongoing.
Security: Removed: RHT+eXo Added: Public