[RHPAM-4723] Creating a branch via BC UI can lead to XSS

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.13.4.GA, IBM BAMOE 8.0.4.GA
Affects Version/s: 7.13.0.GA, 7.13.1.GA, 7.13.2.GA, 7.13.3.GA
Component/s: Business Central
Labels:
- bamoe-verified
- reported-by-qe

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fix Build:
CR1
QE Test Coverage:
-
Target Release:

7.13.4.GA
Test Coverage:

-
Git Pull Request:
https://github.com/kiegroup/kie-wb-common/pull/3817, https://github.com/kiegroup/kie-wb-common/pull/3818
[QE] How to address?:
---
[QE] Why QE missed?:
---
Intelligence Requested:

Sprint:
2023 Week 30-32 (from Jul 24)

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Summary
Using BC UI for creating branches, user can use XSS to read the cookie or create a alert.
The malformed branch, with XSS name or similar is not created, however the modal can be used to read cookie or extract other information consistently on one place.

Steps
1. Login to BC and navigate to a project
( Spaces > RestSpace_3 > my_orject_rhpam > master )
2. There is a hyperlink with text `master` and a dropdown, click it
3. Pop-up appears where you click Add Branch
4. Input <img/src/onerror=alert(document.cookie)>
5. Alert with cookie content is shown

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Screenshot from 2023-05-24 09-48-26.png
157 kB
2023/05/24 9:08 AM

Marek Novotny added a comment - 2024/02/12 9:24 AM

Marked as Closed for all verified/Release pending issues

Marek Novotny added a comment - 2024/02/12 9:24 AM Marked as Closed for all verified/Release pending issues

Emily Murphy added a comment - 2023/09/01 2:09 PM

dhanak@redhat.com if possible, please make this issue public so we can include the link in the release notes.

Emily Murphy added a comment - 2023/09/01 2:09 PM dhanak@redhat.com if possible, please make this issue public so we can include the link in the release notes.

Dominik Hanak added a comment - 2023/08/29 6:11 AM

Fixing assignee to paulovmr as he is the one who submitted fix for this issue.

Dominik Hanak added a comment - 2023/08/29 6:11 AM Fixing assignee to paulovmr as he is the one who submitted fix for this issue.

Dominik Hanak added a comment - 2023/08/29 6:10 AM

Verified with 7.13.4.CR1

Dominik Hanak added a comment - 2023/08/29 6:10 AM Verified with 7.13.4.CR1

Assignee:: Paulo Rego

Reporter:: Dominik Hanak

QA Contact:: Dominik Hanak

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/05/24 8:02 AM

Updated:: 2024/02/12 9:24 AM

Resolved:: 2023/08/11 8:20 AM

Details

Description

Attachments

Attachments

Easy Agile Planning Poker

Activity

Collapse comment: Marek Novotny added a comment - 2024/02/12 9:24 AM

Expand comment: Marek Novotny added a comment - 2024/02/12 9:24 AM

Collapse comment: Emily Murphy added a comment - 2023/09/01 2:09 PM

Expand comment: Emily Murphy added a comment - 2023/09/01 2:09 PM

Collapse comment: Dominik Hanak added a comment - 2023/08/29 6:11 AM

Expand comment: Dominik Hanak added a comment - 2023/08/29 6:11 AM

Collapse comment: Dominik Hanak added a comment - 2023/08/29 6:10 AM

Expand comment: Dominik Hanak added a comment - 2023/08/29 6:10 AM

People

Dates