[ https://issues.apache.org/jira/browse/OFBIZ-6506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux reopened OFBIZ-6506: ------------------------------------ I reopen this issue to close it properly and credit Lilian for the report of the vunerability which has been attributed the [*CVE-2015-3268*|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3268] Note though that as explained at https://ofbiz.apache.org/download.html, we strongly encourage OfBiz users to report security problems affecting OFBiz to the *private security mailing list of the ASF Security Team*, before disclosing them in public. Please see the page of the [ASF Security Team|http://www.apache.org/security] for further information and contact information. A h5. Summary: The issue was that in ModelFormField.java we were not encoding not empty data coming from the DB when using the DisplayEntityField.getDescription() method. The issue was not possible without an access to the DB. In other words for the XSS to work you needed to have either an admin access or be able to do an SQL injection. Anyway in both cases, the description attribute of the display-entity element is now escaped to prevent the risk of this XSS attack. > XSS vulnerability in OFBiz forms and screens especially in display-entity > component > ----------------------------------------------------------------------------------- > > Key: OFBIZ-6506 > URL: https://issues.apache.org/jira/browse/OFBIZ-6506 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS > Reporter: Lilian Iatco > Assignee: Jacques Le Roux > Labels: display, entity, form, ofbiz, screen, vulnerability, xss > Attachments: Tooltip no XSS issue.png > > > In Ofbiz form need to escape characters from description column in a > display-entity tag to avoid XSS attacks. > {code}<display-entity entity-name="Table" description="${description}" >{code} > I tried to use bsh, as following: > {code}<display-entity entity-name="Table" description="${bsh: > org.apache.commons.lang.StringEscapeUtils.escapeHtml("${description}")}">{code} > But I get this error: > {code} > Error rendering screen > [component://my/widget/CommonScreens.xml#GlobalDecorator]: > java.lang.IllegalStateException: This object has been flagged as immutable > (unchangeable), probably because it came from an Entity Engine cache. Cannot > set a value in an immutable entity object. > (This object has been flagged as immutable (unchangeable), probably because > it came from an Entity Engine cache. Cannot set a value in an immutable > entity object.) > {code} > PS: > Also you can see here a similar issue: > http://stackoverflow.com/questions/30097370/how-to-escape-characters-in-ofbiz-widget -- This message was sent by Atlassian JIRA (v6.3.4#6332)