[Vtigercrm-commits] [Vtiger development] #8320: XSS need to be treated differently in CRM than CMS
Vtiger development
vtiger-tickets at trac.vtiger.com
Sun Oct 26 19:07:57 GMT 2014
#8320: XSS need to be treated differently in CRM than CMS
-------------------------+------------------------
Reporter: prasad | Owner: developer
Type: known issue | Status: new
Priority: unassigned | Milestone: Unassigned
Component: vtigercrm | Version: 6.0.0
Severity: Medium | Keywords:
-------------------------+------------------------
CMS is exposed more to visitor of the website and XSS is critical as one
visitor can setup a trap to hijack data of another.
However, in CRM will not be exposed directly to visitors of the website.
Only authenticated user (most likely members of organization) would be
work with the application. This demands a different treatment while
evaluating XSS or similar vulnerabilities.
Authenticated users in CRM are allowed to inject several special HTML tags
that in normal could be claimed to susceptible during XSS evaluation. This
could be allowed by the application intentionally - with basic trust that
authenticated user would not harm each others. In the event of mis-use the
application administrator should ban access to the user and immediately
cease his access to the application and clean / clear the data created.
In case you notice XSS can be injected without user authentication -
please do inform us.
--
Ticket URL: <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/8320>
Vtiger development <http://trac.vtiger.com/>
Vtiger CRM
More information about the vtigercrm-commits
mailing list