Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-1961

XSS Vulnerability: It's possible to pass JavaScript over URL

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 5.0.13
    • 5.0.8
    • General

    • ZK: PE 5.0.8
      Application Server: Oracle Weblogic 10.3.3.0
      Platform: Win 7 (64Bit)
      Java: 1.6.0_23 (64Bit)

    Description

      I have a ZK-Web-Application deployed on a WebLogic Server on port 7001. Now I can make some JS embeded request and the response will not escape the embedded JavaScript so that it will be executed on the client.

      When I make a similar call against the WebLogic Web-Console the JavaScript part will be escaped and will not be executed at the client. That's why I think it's not a WebLogic bug.

      As mentioned, I'm using version 5.0.8, but I haven't found any similar bugfixes in the release notes of newer releases.

      Attachments

        Activity

          People

            noahhuang noahhuang
            wingchan wingchan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: