ICEfaces
  1. ICEfaces
  2. ICE-10998

'ice.window', 'ice.view' parameters vulnerable to JS injection attack

    Details

      Description

      This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only 'ice.view' parameter is vulnerable while in ICEfaces 4.* versions 'ice.view' and 'ice.window' parameters are vulnerable to JS injection attacks.

        Activity

        Repository Revision Date User Message
        ICEsoft Public SVN Repository #48610 Tue Apr 05 07:06:22 MDT 2016 mircea.toma ICE-10998 Verify if the received window ID is valid before creating the scope map. Also verify if the view ID parameter is valid.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/core/src/main/java/org/icefaces/impl/application/WindowScopeManager.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/core/src/main/java/org/icefaces/impl/event/BridgeSetup.java

          People

          • Assignee:
            Mircea Toma
            Reporter:
            Mircea Toma
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: