[JBoss JIRA] (GTNPORTAL-2940) XSS attack on Display Name of registration form

Sunday, 21 April 2013



     [
https://issues.jboss.org/browse/GTNPORTAL-2940?page=com.atlassian.jira.pl...
]

Hai Nguyen updated GTNPORTAL-2940:
----------------------------------

    Labels: done portal-s70  (was: portal-s70)

    
...
 XSS attack on Display Name of registration form
 -----------------------------------------------

                 Key: GTNPORTAL-2940
                 URL: https://issues.jboss.org/browse/GTNPORTAL-2940
             Project: GateIn Portal
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
    Affects Versions: 3.6.0.Beta01
            Reporter: Hai Nguyen
            Assignee: Hai Nguyen
              Labels: done, portal-s70

 When Display Name of an user contains script, it's executed when going to Dashboard.
(logo portlet contains user's display name)
 Steps to check: 
 * Register new user with display name is
"<script>alert('test')</script>"
 * Login as new user
 * Go to Dashboard
 Problem: alert popup is shown. 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009