www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacopo Cappellato <jaco...@apache.org>
Subject [SECURITY] CVE-2016-6800 Apache OFBiz blog stored XSS vulnerability
Date Tue, 29 Nov 2016 06:58:31 GMT
Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*

Description:
The default configuration of the OFBiz framework offers a blog
functionality. Different users are able to operate blogs which are
related to specific parties. In the form field for the creation of new
blog articles the user input of the summary field as well as the article
field is not properly sanitized. It is possible to inject arbitrary
JavaScript code in these form fields. This code gets executed from the
browser of every user who is visiting this article.

Mitigation:
Upgrade to 16.11.01

Credit: Robert Scholz, ERNW GmbH

References:
http://ofbiz.apache.org/download.html#vulnerabilities

Mime
View raw message