JCommuneIcon indicating the project type

JCommune

Uploaded image for project: 'JCommune'
  1. JCommune
  2. JC-2391

XSS on users list page

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.11 Larks
    • Fix Version/s: None
    • Labels:
    • Sprint:
      3.11 Larks

      Description

      Preconditions
      There is group with name 

      <script>alert("Name1")</script>

      User has admin permissions

      Steps to reproduce
      1. Go to Administration - Users
      2. Search for any existed user

      Actual result
      Alert window with text "Name1" is displayed, there is no group <script>alert("Name1")</script> in groups list

      Expected result
      There is no alert window, group <script>alert("Name1")</script> presents in groups list

        Attachments

          Issue Links

          Discovered while testing

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. JC-2367 Edit user groups

          • Major - Major loss of function.
          • Closed

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            jenkins Jenkins Bot added a comment -

            SUCCESS: Integrated in JC-UnitTests #3150
            JC-2391 XSS on users list page (oatkachenko: 1b02b6a19fee381eaf4391b96c3a42c8c2d7a16d)

            Show
            jenkins Jenkins Bot added a comment - SUCCESS: Integrated in JC-UnitTests #3150 JC-2391 XSS on users list page (oatkachenko: 1b02b6a19fee381eaf4391b96c3a42c8c2d7a16d )
            Hide
            Permalink
            varro Artem R added a comment -

            Test Environment
            JCommune 3.11.3150.1b02b6a, Firefox, Chrome

            Test Scenario
            Preconditions
            There is group with name 

            <script>alert("Name1")</script>

            User has admin permissions

            Steps
            1. Go to Administration - Users
            2. Search for any existed user

            Actual result = Expected result
            There is no alert window, group <script>alert("Name1")</script> presents in groups list

            Regression tests:
            Users in group, User Groups pages, edit user group popup work as expected

            Test results:
            Issue can be closed

            Show
            varro Artem R added a comment - Test Environment JCommune 3.11.3150.1b02b6a, Firefox, Chrome Test Scenario Preconditions There is group with name <script>alert("Name1")</script> User has admin permissions Steps 1. Go to Administration - Users 2. Search for any existed user Actual result = Expected result There is no alert window, group <script>alert("Name1")</script> presents in groups list Regression tests: Users in group, User Groups pages, edit user group popup work as expected Test results: Issue can be closed

              People

              • Assignee:
                varro Artem R
                Reporter:
                varro Artem R
              • Votes:
                0 Vote for this issue
                Watchers:
                Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Structure Helper Panel