[XPORTER-2957] Stored XSS via email body text area - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Release 6.2.4
Fix Version/s: Release 6.3.0
Component/s: Scheduled Reports, Security
Labels:
- security_vulnerability_medium

Sprint:
R6.3.0 Sprint 3
Requirement Status:
OK
- 1

Description

Xporter should be able to handle XSS attack from the email body text area.
The user will be able to add scripts that may run when we are listing the scheduled reports/post functions actions.

Cross-site scripting attacks occur when you manage to sneak a script (usually javascript) onto someone else's website, where it can run maliciously.
XSS is possible when you have user input into a web site. For instance, if I was filling out a web form, and it asked me for templates description, I could enter:

Template Description: "<svg/onload=alert(1)>"

Attachments

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Rui Rodrigues

Reporter:: Rui Rodrigues

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 04/Dec/19 2:06 PM

Updated:: 29/Apr/20 4:27 PM

Resolved:: 29/Apr/20 4:26 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

4h 30m