Cross Site Scripting XSS

Description

iDempiere has an XSS Stored vulnerability: it's possible to execute arbitrary javascript code.

Environment

None

Attachments

Linked issues

relates to

IDEMPIERE-4208

Preserve @ and # in HTML content

Activity

Show:

Carlos Ruiz June 5, 2019 at 10:11 AM

Thanks

Former user June 5, 2019 at 7:54 AM

I sent an email

Carlos Ruiz June 4, 2019 at 12:00 PM

Thanks , can you please ellaborate how to get that screenshot?

Which is the test case - some windows and fields are security sensitive and solution usually is to define it as System or Advanced to solve the issue.

If you think is better not to disclose this issue until solved, you can try following the procedure described here:
https://wiki.idempiere.org/en/How_to_report_a_vulnerability

Regards,

Carlos Ruiz