Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-1961

XSS Vulnerability: It's possible to pass JavaScript over URL

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.0.8
    • Fix Version/s: 5.0.13
    • Component/s: General
    • Environment:

      ZK: PE 5.0.8
      Application Server: Oracle Weblogic 10.3.3.0
      Platform: Win 7 (64Bit)
      Java: 1.6.0_23 (64Bit)

      Description

      I have a ZK-Web-Application deployed on a WebLogic Server on port 7001. Now I can make some JS embeded request and the response will not escape the embedded JavaScript so that it will be executed on the client.

      When I make a similar call against the WebLogic Web-Console the JavaScript part will be escaped and will not be executed at the client. That's why I think it's not a WebLogic bug.

      As mentioned, I'm using version 5.0.8, but I haven't found any similar bugfixes in the release notes of newer releases.

        Attachments

          Activity

            People

            Assignee:
            noahhuang noahhuang
            Reporter:
            wingchan wingchan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: