[
https://issues.apache.org/jira/browse/FELIX-6132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Pauls closed FELIX-6132.
-----------------------------
> XSS possible in service console
> -------------------------------
>
> Key: FELIX-6132
> URL: https://issues.apache.org/jira/browse/FELIX-6132
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Affects Versions: webconsole-4.3.8
> Reporter: Ashok Kumar
> Assignee: Karl Pauls
> Priority: Major
> Fix For: webconsole-4.3.12
>
> Attachments: escape_quotes_and_apos_for_service_filter.patch,
> xss_service_console_felix_6132.patch
>
>
> *Issue Summary :* There is a XSS possible in system console.
> *Steps to reproduce :*
> # Open a local instance
> # Open the link
> [http://localhost:4502/system/console/services?filter=%22onmouseover=%22alert(%27xss%27)%22]
> in Internet Explorer. A pop would come when you mouse over the filter input
> box.
> # Chrome would auto flag XSS exploit and prevent page load
> *Expected Behavior :* The pop up should not come up.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
