Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32530

#PT12068_8 - Client-Side Injection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security, Security / Rights

      Description

      Improper/Weak Input Sanitizing for HTML/JavaScript Injection

      Proof of Concept

      1. Login to the application with privileged user.
      1. While a privileged user edits a user's details from "Administration -> Users & Groups" page, a HTML/JavaScript codes can be placed as user's "First Name", "Last Name", "Company" information.

      Suggested Fix

      Certain types of HTML tags and JavaScript codes should not be allowed as filename, user profile's info.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              santony Sooraj Antony
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: