Bug 793840 (JBEPP-914) - XSS issues with user's firstname and lastname
Summary: XSS issues with user's firstname and lastname
Keywords:
Status: CLOSED NEXTRELEASE
Alias: JBEPP-914
Product: JBoss Enterprise Portal Platform 5
Classification: JBoss
Component: unspecified
Version: 5.1.1.DEV01
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 5.1.1.DEV02
Assignee: hfnukal@redhat.com
QA Contact:
URL: http://jira.jboss.org/jira/browse/JBE...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-03 11:23 UTC by Michal Vanco
Modified: 2013-04-30 23:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
EPP5.1.1 DEV01
Last Closed: 2011-05-09 13:32:44 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 793518 0 high CLOSED XSS issue in user creation page 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker JBEPP-914 0 Major Closed XSS issues with user's firstname and lastname 2012-08-23 07:15:36 UTC

Internal Links: 793518

Description Michal Vanco 2011-05-03 11:23:11 UTC 
project_key: JBEPP

JBEPP-598 is already fixed. But when the firstname or lastname contains script, it's executed on 2 more places:
 - dashboard (logo portlet contains user's fullname)
 - organization portlet - when the user is added at group using search dialog

Steps to reproduce:
 - register new user with <script>alert('test')</script> at firstname or lastname
1) sign in as new user, click Dashboard - script is executed at logo portlet
2) sign in as root, go to Users management, Group man., select some group, click "Select User" Search icon - script is executed at Select User dialog
Comment 1 Michal Vanco 2011-05-03 11:23:44 UTC 
Link: Added: This issue is related to JBQA-4617
Comment 2 Michal Vanco 2011-05-03 11:24:07 UTC 
Link: Added: This issue is related to JBEPP-598
Comment 3 Scott Mumford 2011-08-09 03:49:22 UTC 
Release Notes Docs Status: Added: Not Required
Comment 4 hfnukal@redhat.com 2011-09-07 16:19:06 UTC 
Security: Removed: RHT+eXo Added: Public
Note You need to log in before you can comment on or make changes to this bug.