Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.13.4.GA, IBM BAMOE 8.0.4.GA
Affects Version/s: 7.13.0.GA, 7.13.1.GA, 7.13.2.GA, 7.13.3.GA
Component/s: Business Central
Labels:
- bamoe-verified
- reported-by-qe

Blocked:
False
Blocked Reason:
None
Ready:
False
Fix Build:
CR1
QE Test Coverage:
-
Target Release:

7.13.4.GA
Test Coverage:

-
Git Pull Request:
https://github.com/kiegroup/kie-wb-common/pull/3817, https://github.com/kiegroup/kie-wb-common/pull/3818
[QE] How to address?:
---
[QE] Why QE missed?:
---

Sprint:
2023 Week 30-32 (from Jul 24)

SFDC Cases Counter:
SFDC Cases Links:

Description

Summary
Using BC UI for creating branches, user can use XSS to read the cookie or create a alert.
The malformed branch, with XSS name or similar is not created, however the modal can be used to read cookie or extract other information consistently on one place.

Steps
1. Login to BC and navigate to a project
( Spaces > RestSpace_3 > my_orject_rhpam > master )
2. There is a hyperlink with text `master` and a dropdown, click it
3. Pop-up appears where you click Add Branch
4. Input <img/src/onerror=alert(document.cookie)>
5. Alert with cookie content is shown

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Screenshot from 2023-05-24 09-48-26.png
157 kB
2023/05/24 9:08 AM

Activity

People

Assignee:: Paulo Rego

Reporter:: Dominik Hanak

QA Contact:: Dominik Hanak

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023/05/24 8:02 AM

Updated:: 2024/02/12 9:24 AM

Resolved:: 2023/08/11 8:20 AM