XSS issue located in ram infopop
We try the following URL in the RAM server:
https://RAMURL//cloud/enterprise/ram/infopop?contextId=sgen0101&default=Modify%3Ciframe+src%3Djavascript%3Aalert%28105486%29%3E
Then in the RAM 7202 server it will popup a window with the value : 105486
In the RAM 7511 server it will not open new window, instead show the following content:
Modify: Edit the description, categories, attached artifacts, or related assets for this asset. Depending on the current state of the asset and the edits that you make, when you modify an asset, you might change its state, move it to a different lifecycle, or trigger policies.
Please let me know if it means this XSS issue is fixed in 7511
https://RAMURL//cloud/enterprise/ram/infopop?contextId=sgen0101&default=Modify%3Ciframe+src%3Djavascript%3Aalert%28105486%29%3E
Then in the RAM 7202 server it will popup a window with the value : 105486
In the RAM 7511 server it will not open new window, instead show the following content:
Modify: Edit the description, categories, attached artifacts, or related assets for this asset. Depending on the current state of the asset and the edits that you make, when you modify an asset, you might change its state, move it to a different lifecycle, or trigger policies.
Please let me know if it means this XSS issue is fixed in 7511
Accepted answer
That is correct. This problem was fixed in 7.5.0.1. See defect Infopops contain an XSS vulnerability (39180).