Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 6.4.3
Affects Version/s: 6.4.0
Component/s: Business Central
Labels:

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1439819
Fix Build:
CR1
Release Note Text:
A new control have been added before displaying the content to avoid the html interpretation.
Target Release:
Steps to Reproduce:

Hide

In business central, go to Tasks. Click on the "+" button to create a new filtered list and then enter something that uses HTML tags, such as *<h1>test</h1>*. Now tries to delete the list you just created and you should see that "test" will be shown as an HTML header in the confirmation dialog- indicating that the HTML code was interpreted.

Show
In business central, go to Tasks. Click on the "+" button to create a new filtered list and then enter something that uses HTML tags, such as * <h1>test</h1> *. Now tries to delete the list you just created and you should see that "test" will be shown as an HTML header in the confirmation dialog- indicating that the HTML code was interpreted.

SFDC Cases Counter:
SFDC Cases Links:

Description

When you create a new task filtered list in business central, you can use HTML tags for the Name field. Later, when deleting it, the HTML is rendered. Although tags like script seems to be rejected, this could be an entry point for XSS attacks.

Attachments

Issue Links

clones

RHBPMS-4624 Task Filter List accepts HTML in the Name field which is rendered when deleting it

Closed

Activity

People

Assignee:: Neus Miras Chueca

Reporter:: William Siqueira

Tester:: Kirill Gaevskii

QA Contact:: Kirill Gaevskii

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2017/02/10 2:33 PM

Updated:: 2021/10/24 5:49 AM

Resolved:: 2017/03/31 1:27 PM

CVE-2017-2674 business-central: Multiple stored XSS in task and process filters [bpms-6.4.x]