Cross Site Scripting vulnerabilities in user forms -------------------------------------------------- Key: GTNPORTAL-1830 URL: https://issues.jboss.org/browse/GTNPORTAL-1830 Project: GateIn Portal Issue Type: Bug Security Level: Public (Everyone can see) Reporter: Gary Hu A user can place html or javascript as their first or last name causing a viewing user to execute said code. This may happen during user modification or in other actions. Other inputs may be vulnerable as well. To reproduce this on the EPP 5.1 out of box installation: 1) login as root 2) go to "Users and groups management" 3) under "User Management" click the "Edit User Info" icon 4) In the "First Name" or "Last Name" filed type in something like "<script>alert("hello");</script>". 5) click the "Save" button. The javascript is executed and a pop up shows up. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira