Jacques Le Roux created OFBIZ-12096:
---------------------------------------
Summary: Post-auth XSS vulnerability at catalog/control/EditProductPromo
Key: OFBIZ-12096
URL:
https://issues.apache.org/jira/browse/OFBIZ-12096 Project: OFBiz
Issue Type: Sub-task
Components: product/catalog
Affects Versions: Trunk
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
This vulnerability was reported by 牛治 <
[hidden email]>:
Locations:
* catalog/control/EditProductPromo
* catalog/control/EditProductPromoCode
Description: the Promo Name and Promo Text input boxes on the EditProductPromo page have not a valid verification and result in an XSS attack.
Poc: Encode the characters of "<script>alert('poruin')</script>", and the poc after encoding is as follows "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
