[SI-12] Potential CROSS SITE SCRIPTING (XSS) vulnerability - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: None
Fix Version/s: None
Component/s: ui-dashboard
Labels:
- dashboard

Template:
Sprint:
ERM Sprint 160, ERM Sprint 161, ERM Sprint 162
Development Team:
Bienenvolk
Release:
Orchid (R1 2023) Bug Fix

Description

Overview: html not escaped in URL link field
Steps to Reproduce:

Log into some FOLIO environment as User X
Click dashboard app
Create a widget and input javascript:alert('xss') to Url link field
Save the dashboard and click Link to app

Expected Results:

The javascript should not be executed
Actual Results:

The javascript is executed
Additional Information:
URL: tested on https://okapi-bugfest-nolana.int.aws.folio.org
Interested parties:

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2023-03-08-23-23-29-533.png
28 kB
09/Mar/23 4:23 AM

Issue Links

defines

ERM-2895 ui-dashboard release. Fix version: 4.0.1 (Orchid Bug Fix)

Closed

relates to

SI-23 URL validation in simple search widget is too strict

Closed

to be improved by

SI-20 Extend protection against potential XSS vulnerability

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(7 mentioned in)

Activity

People

Assignee:: Owen Stephens

Reporter:: Hongwei Ji

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/Feb/23 10:46 PM

Updated:: 12/Jun/23 7:57 AM

Resolved:: 30/Mar/23 8:39 PM