OFBiz OFBiz - Dev

[CVE-2020-1943] Apache OFBiz XSS Vulnerability

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jacopoc
Reply | Threaded
Open this post in threaded view
|

[CVE-2020-1943] Apache OFBiz XSS Vulnerability

jacopoc
Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.07

Description:
Data sent with "contentId" to "/control/stream" is not sanitized, allowing
XSS attacks.

Mitigation:
Upgrade to 17.12.01 or manually apply the commits at OFBIZ-10753
----

Credit:
Timon Funck <[hidden email]>

References:
http://ofbiz.apache.org/download.html#vulnerabilities
Free forum by Nabble Edit this page