Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.13.4.GA, IBM BAMOE 8.0.4.GA
Affects Version/s: 7.13.0.GA, 7.13.1.GA, 7.13.2.GA, 7.13.3.GA
Component/s: Business Central
Labels:
- bamoe-verified
- reported-by-qe

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fix Build:
CR1
QE Test Coverage:
-
Target Release:

7.13.4.GA
Test Coverage:

-
Git Pull Request:
https://github.com/kiegroup/kie-wb-common/pull/3817, https://github.com/kiegroup/kie-wb-common/pull/3818
[QE] How to address?:
---
[QE] Why QE missed?:
---
Intelligence Requested:

Sprint:
2023 Week 30-32 (from Jul 24)

SFDC Cases Counter:
SFDC Cases Links:

Summary
Using BC UI for creating branches, user can use XSS to read the cookie or create a alert.
The malformed branch, with XSS name or similar is not created, however the modal can be used to read cookie or extract other information consistently on one place.

Steps
1. Login to BC and navigate to a project
( Spaces > RestSpace_3 > my_orject_rhpam > master )
2. There is a hyperlink with text `master` and a dropdown, click it
3. Pop-up appears where you click Add Branch
4. Input <img/src/onerror=alert(document.cookie)>
5. Alert with cookie content is shown

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Screenshot from 2023-05-24 09-48-26.png
157 kB
2023/05/24 9:08 AM

Assignee:: Paulo Rego

Reporter:: Dominik Hanak

QA Contact:: Dominik Hanak

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/05/24 8:02 AM

Updated:: 2024/02/12 9:24 AM

Resolved:: 2023/08/11 8:20 AM

Details

Description

Attachments

Attachments

Activity

People

Dates