Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-6242

Javascript code executable in input fields

    Details

      Description

      Use following command

      <script>window.alert("hallo")</script>
      

      Following input fields are affected
      Cockpit:
      Process Instance View: User Task Assignee
      Process Instance View: Add string variable with name <script>window.alert("hallo")</script> in the instance modification menu. Subsequently go to variables tab and change the variable type to object. This can also be done by other users --> XSS

      Admin:
      Create new User Menu: User Id*
      Create new Groups Menu: Group Id*

        Activity

        Hide
        sebastian.stamm Sebastian Stamm added a comment -

        The Jenkins Jobs for commons-ui are currently failing on some branches, however, the failing test-cases seem to be unrelated to the changes in this issue.

        Show
        sebastian.stamm Sebastian Stamm added a comment - The Jenkins Jobs for commons-ui are currently failing on some branches, however, the failing test-cases seem to be unrelated to the changes in this issue.

          People

          • Assignee:
            michael.schoettes Michael Schoettes
            Reporter:
            michael.schoettes Michael Schoettes
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: