[SECURITY] CVE-2016-6800 Apache OFBiz blog stored XSS vulnerability

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[SECURITY] CVE-2016-6800 Apache OFBiz blog stored XSS vulnerability

jacopoc
Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*

Description:
The default configuration of the OFBiz framework offers a blog
functionality. Different users are able to operate blogs which are
related to specific parties. In the form field for the creation of new
blog articles the user input of the summary field as well as the article
field is not properly sanitized. It is possible to inject arbitrary
JavaScript code in these form fields. This code gets executed from the
browser of every user who is visiting this article.

Mitigation:
Upgrade to 16.11.01

Credit: Robert Scholz, ERNW GmbH

References:
http://ofbiz.apache.org/download.html#vulnerabilities