Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

XSS Issues in Metadata Sets.

Description

1. Add Documents and Media portlet.
2. Click Manage Drop menu.
3. Click Metadata Sets.
4. Fill <script>alert("xss")</script> in the name.
5. Click Save.

Environment

Tomcat 7.0 + MySQL 5. 6.1.x EE GIT ID: 34df7d1009e8c6582c8176152f28e07ad05d6133q. Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 689dfa8d5cc1d078885e8132b78f58540fc76447.

Attachments

1
  • 05 Apr 2012, 08:27 PM

relates

Activity

Show:

Sharry Shi June 1, 2012 at 12:58 AM
Edited

PASSED Manual Testing following the steps in the description.

Reproduced on:
Tomcat 7.0 + MySQL 5. Portal 6.1.0 CE GA1.

The New Metadata Set named <script>alert("xss")</script> show as an alert.

Fixed on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x CE GIT ID: 4ff1b724438fa61b000f24b51fb51309cad6e2a8.
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 05c1af41aa32cc740b67c8cc937864abd5bb351b.
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: a72fe03b6a054e2fc0f5ce30624cb5f424683e1d.

The New Metadata Set named <script>alert("xss")</script> does not show as an alert.

Michael Saechang May 30, 2012 at 10:38 AM
Edited

Committed on:
Portal 6.1.x CE GIT ID: 4e0fd98f1a23a51dffccae8e82ffaef36d28233f.
Portal 6.2.x GIT ID: 7233e1d085208f1da79f9ddea5e0f8dd381cf7b8.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Branch Version/s

6.1.x

Backported to Branch

Committed

Fix Priority

4

Git Pull Request

Components

Fix versions

Affects versions

Priority

Zendesk Support

Created April 5, 2012 at 8:27 PM
Updated June 24, 2023 at 3:48 PM
Resolved October 4, 2012 at 2:37 PM