|
|
Author: jleroux
Revision: 1759065
Modified property: svn:log
Modified: svn:log at Tue Nov 29 08:25:29 2016
------------------------------------------------------------------------------
--- svn:log (original)
+++ svn:log Tue Nov 29 08:25:29 2016
@@ -1,3 +1,12 @@
In rev. 1536324 Jacques Le Roux changed the value of the attribute allow-html from "safe" to "any" and deprecated the usage of the "safe" value.
However the "safe" behavior is necessary to allow these fields to accept tags in a safe way: for this reason that commit should be reverted and a different solution should be implemented.
In the meantime, this commit changes the allow-html values for the blog entries to "none".
+
+[CVE-2016-6800] Apache OFBiz blog stored XSS vulnerability
+The default configuration of the OFBiz framework offers a blog
+functionality. Different users are able to operate blogs which are
+related to specific parties. In the form field for the creation of new
+blog articles the user input of the summary field as well as the article
+field is not properly sanitized. It is possible to inject arbitrary
+JavaScript code in these form fields. This code gets executed from the
+browser of every user who is visiting this article.
|
Locked
