IBM Support

IJ10051: JAVASCRIPT IS EXECUTED IF HTML CODE ENTERED IN SR APPLICATION DESCRIPTION FIELD.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Problem details
    ================
    JAVASCRIPT IS EXECUTED IF HTML CODE ENTERED IN SR APPLICATION
    DESCRIPTION FIELD.
    
    Application effected
    ====================
    SR
    
    Steps to reproduce
    ===================
    
    1. Using App Designer, import the attached sr-tpae-try.xml
    2. Logout and login
    3. Go to the SR app
    4. Open any exiting
    5. Go to the Related Records tab
    6. In the Service Request description field, enter the
    following string: <img src=ok onerror=alert(/xss/)>
    7. Save the record
    8. Click on the Service Request tab
    
    
    RESULTS / PROBLEM
    ==================
    The javascript will execute and the alert box will pop up on
    the page.
    
    
    Expected Results
    ================
    This needs to be prevented from happening.
    
    Product Version
    ===============
    Tivoli's process automation engine 7.6.0.8-IFIX20180130-1210
    Build 20170512-0100 DB Build V7608-63 HFDB Build HF7608-12
    Service Desk for IBM Control Desk 7.6.0.3257 Build 201709140546
    DB Build V7603-02
    Service Catalog for IBM Control Desk 7.6.0.3257 Build
    201709140546 DB Build V7603-01
    IBM Maximo for Service Providers 7.6.3.0-20180326-0921 Build
    20170221-2101 DB Build V7630-21 HFDB Build HF7630-05
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * N/A                                                          *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * JAVASCRIPT IS EXECUTED IF HTML CODE ENTERED IN SR            *
    * APPLICATION  DESCRIPTION FIELD.                              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    

Problem conclusion

  • Fixed in label.jsp
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ10051

  • Reported component name

    SELF SERVICE

  • Reported component ID

    5724R46SS

  • Reported release

    760

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-10-03

  • Closed date

    2018-11-01

  • Last modified date

    2018-11-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SELF SERVICE

  • Fixed component ID

    5724R46SS

Applicable component levels

  • R760 PSY

       UP



Document information

More support for: Maximo Asset Management
Self Service

Software version: 760

Reference #: IJ10051

Modified date: 01 November 2018