Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.1.X EE, 6.2.0 CE B1
    • Fix Version/s: 6.2.0 CE B3
    • Component/s: Security Vulnerability
    • Labels:
    • Environment:
    • Story Points:
      4
    • Fix Priority:
      4

      Description

      1. Finish LPS-37748 steps.
        1. Start tomcat with clean database.
        2. Deploy Kaleo-Forms, kaleo-designer-portlet, kaleo-upgrade-hook, kaleo-web, portal-compat-hook.
        3. Add kaleo-forms portlet to new page.
        4. Go to Processes tab.
        5. Click Add button.
        6. Fill name: <script>alert("xss")</script>.
        7. Select Entry Definition, Initial Form, Workflow.
        8. Save.
      2. Checkpoint: when you finish above steps, you should not see any XSS.
      3. Go to Summary tab.
      4. Click Submit New button.
      5. Click newly process.
      6. Save.
      7. Refresh page.

      Expected result:
      Users should not see any XSS.

      Actual result:
      XSS appear.


      CVSS Base Score: 7.6
      CVSS Temporal Score: 6.3
      CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
      

        Attachments

          Activity

            People

            • Assignee:
              mark.jin Mark Jin (Inactive)
              Reporter:
              mark.jin Mark Jin (Inactive)
              Participants of an Issue:
              Recent user:
              Esther Sanz
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                3 years, 42 weeks, 6 days ago

                Subcomponents