Vendor:
The Apache Software Foundation
Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*
Description:
The default configuration of the OFBiz framework offers a blog
functionality. Different users are able to operate blogs which are
related to specific parties. In the form field for the creation of new
blog articles the user input of the summary field as well as the article
field is not properly sanitized. It is possible to inject arbitrary
JavaScript code in these form fields. This code gets executed from the
browser of every user who is visiting this article.
Mitigation:
Upgrade to 16.11.01
Credit: Robert Scholz, ERNW GmbH
References:
http://ofbiz.apache.org/download.html#vulnerabilities