Draft: Fixes::156500660::Kaushik::opened url,thrown xss alert resolved (!1054) · Merge requests · vtiger / vtigercrm · GitLab

Welcome to Vtiger Community. To gain access for account, please contact [ community @ vtiger.com ]

kaushik p requested to merge kaushik.p/vtigercrm:156500660 into master Feb 11, 2024

XSS in Reports:

Testcase: When we open the following URL, it will throw an xss alert. http://localhost/html/vtigercrm/index.php?__vtrftk=sid:ec5e8838d88a28a5a421462d316c5d0ad597ca9b,1689330083&__vtrftk=sid%3A5b22cf85bb00aeec85ea78f174419285547d0b85%2C1689330102&module=Reports&view=Edit&mode=step3&record=&reportname=test%20g%20nonadmin%2022%22%20aa&reportfolderid=1&description=&primary_module=Contacts&secondary_modules=&selected_fields=%5b%5d%27%3e%20aa%20%3cimg%20src%3dx%20onerror%3dalert(1)%3e%20&selected_sort_fields=%5B%5B%22none%22%2Cnull%2Cnull%5D%2C%5B%22none%22%2Cnull%2Cnull%5D%2C%5B%22none%22%2Cnull%2Cnull%5D%5D&calculation_fields=%7B%7D&isDuplicate=&enable_schedule=&schtime=&schdate=&schdayoftheweek=null&schdayofthemonth=null&schannualdates=null&recipients=null&specificemails=&schtypeid=1&fileformat=CSV&selectstep2dropdown_1=none&selectstep2dropdown_2=none&selectstep2dropdown_3=none

Note: We added xss payload in the selected_fields value [][]'> aa

Resolved: I) resolved the error for step 2 and step 3 for preventive xss injections.

Copyright 2023 Vtiger. All rights reserved.