[CAM-6242] Javascript code executable in input fields

Type: Bug Report
Resolution: Fixed
Priority: L3 - Default
Fix Version/s: 7.3.8, 7.4.12, 7.7.0, 7.5.8, 7.6.3, 7.7.0-alpha1
Affects Version/s: 7.4.7
Component/s: admin, cockpit
Labels:
None

Use following command

<script>window.alert("hallo")</script>

Following input fields are affected
Cockpit:
Process Instance View: User Task Assignee
Process Instance View: Add string variable with name <script>window.alert("hallo")</script> in the instance modification menu. Subsequently go to variables tab and change the variable type to object. This can also be done by other users --> XSS

Admin:
Create new User Menu: User Id*
Create new Groups Menu: Group Id*

This is the controller panel for Smart Panels app

Sebastian Stamm added a comment - 20/Jan/17 9:28 AM

The Jenkins Jobs for commons-ui are currently failing on some branches, however, the failing test-cases seem to be unrelated to the changes in this issue.

Sebastian Stamm added a comment - 20/Jan/17 9:28 AM The Jenkins Jobs for commons-ui are currently failing on some branches, however, the failing test-cases seem to be unrelated to the changes in this issue.

Assignee:: Michael Schoettes

Reporter:: Michael Schoettes

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 14/Jun/16 11:58 AM

Updated:: 10/Feb/17 6:26 AM

Resolved:: 19/Jan/17 5:38 PM

Details

Description

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

Collapse comment: Sebastian Stamm added a comment - 20/Jan/17 9:28 AM

Expand comment: Sebastian Stamm added a comment - 20/Jan/17 9:28 AM

People

Dates

Salesforce