Bug #56189 Security - XSS vulnerability on the Manage Users page.
Submitted: 23 Aug 2010 13:00 Modified: 25 Aug 2010 0:09
Reporter: Mark Leith Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Web Severity:S1 (Critical)
Version:2.2.3.1741 OS:Any
Assigned to: Josh Sled CPU Architecture:Any

[23 Aug 2010 13:00] Mark Leith 
Description:
The User field on the edit user popup is vulnerable to XSS attacks. 

How to repeat:
o Go to Settings->Manage Users as a manager role
o Create a "test" user
o Edit the test user, changing the Username field to:

test<script>alert(1)</script>

Submit the action
[23 Aug 2010 21:08] Enterprise Tools JIRA Robot 
Josh Sled writes: 
revno: 8135
revision-id: josh.sled@oracle.com-20100823210520-ap06oua6s4h10swp
parent: josh.sled@oracle.com-20100823202403-ghvf087xaldwx1z7
committer: Josh Sled <josh.sled@oracle.com>
branch nick: 2.2
timestamp: Mon 2010-08-23 17:05:20 -0400
message:
  EM-4740: correct XSS vector of unescaped user names in localized messages in default page template, dashboard.
[23 Aug 2010 21:18] Enterprise Tools JIRA Robot 
Josh Sled writes: 
In terms of reproduction, that that one must log in as the "test<script>[...]" user to exhibit the problem.
[8 Sep 2010 15:52] MC Brown 
A note has been added to the 2.2.3 changelog: 

        The content of the user field on the <guilabel>Edit                                           
        User</guilabel> screen was not protected so it was possible to                                
        insert scripting instructions into the field contents.
[18 Apr 2011 14:15] Mark Leith 
Originally reported by Myles Hosford.