[jira] [Created] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo

[Jacques Le Roux (Jira)]

Jacques Le Roux created OFBIZ-12096:
---------------------------------------

             Summary: Post-auth XSS vulnerability at 
catalog/control/EditProductPromo
                 Key: OFBIZ-12096
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12096
             Project: OFBiz
          Issue Type: Sub-task
          Components: product/catalog
    Affects Versions: Trunk
            Reporter: Jacques Le Roux
            Assignee: Jacques Le Roux


This vulnerability was reported by 牛治 <niu....@zte.com.cn>:

Locations:
* catalog/control/EditProductPromo 
* catalog/control/EditProductPromoCode 

Description: the Promo Name and Promo Text input boxes on the EditProductPromo 
page have not a valid verification and result in an XSS attack.                 
                

Poc: Encode the characters of "<script>alert('poruin')</script>", and the poc 
after encoding is as follows 
"\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"



--
This message was sent by Atlassian Jira
(v8.3.4#803005)