Details

    • Branch Version/s:
      6.1.x, 6.0.x
    • Backported to Branch:
      Committed
    • Fix Priority:
      3

      Description

      REPRODUCTION STEPS: (6.0.x Community equals 6.1.x and trunk sites)
      1. Create a Community and set its type to restricted.
      2. Add portlet "My Communities" on a page.
      3. Log in with a different user, who is not a member of the created community.
      4. On the "My Communities" portlet change to tab "Available Communities".
      5. Search for the created community and click on "Request Membership".
      6. Type the following into comment field: <script>alert('XSS');</script>
      7. Log out and log in as the owner or admin of the community.
      8. Go to "My Communities" Portlet and select "View Membership Request" from the Actions menu.

      And also reproduced the same behaviour with "Reply Comments" textbox.

        Issue Links

          Activity

          Hide
          matthew.lee Matthew Lee (Inactive) added a comment -

          Committed on:
          Portal 6.2.x GIT ID: e5e8fd29e2ec62c8e0f9999ec986067ae0f078ea.

          Show
          matthew.lee Matthew Lee (Inactive) added a comment - Committed on: Portal 6.2.x GIT ID: e5e8fd29e2ec62c8e0f9999ec986067ae0f078ea.
          Hide
          pani.gui Pani Gui (Inactive) added a comment -

          PASSED Manual Testing following the steps in the description.

          Reproduced on:
          Tomcat 6.0 + MySQL 5. 6.0.12 EE.
          Tomcat 7.0 + MySQL 5. 6.1.20 EE GA2.

          There is XSS in group membership requests.

          Fixed on:
          Tomcat 6.0 + MySQL 5. Portal 6.0.x GIT ID: 48a082c57b38dfc09c06f3fa03430f951fb17305.
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 12d6f070f68b9b25f71783de416fcb7a9c7696f5.
          Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 5d6109f42b95c3f75c12f6f4d80c3929b010ac12.

          XSS is unable to be executed in group membership requests.

          Show
          pani.gui Pani Gui (Inactive) added a comment - PASSED Manual Testing following the steps in the description. Reproduced on: Tomcat 6.0 + MySQL 5. 6.0.12 EE. Tomcat 7.0 + MySQL 5. 6.1.20 EE GA2. There is XSS in group membership requests. Fixed on: Tomcat 6.0 + MySQL 5. Portal 6.0.x GIT ID: 48a082c57b38dfc09c06f3fa03430f951fb17305. Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 12d6f070f68b9b25f71783de416fcb7a9c7696f5. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 5d6109f42b95c3f75c12f6f4d80c3929b010ac12. XSS is unable to be executed in group membership requests.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                4 years, 36 weeks, 3 days ago

                Development

                  Subcomponents