You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Jacopo Cappellato <ja...@apache.org> on 2016/11/29 06:58:31 UTC

[SECURITY] CVE-2016-6800 Apache OFBiz blog stored XSS vulnerability

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*

Description:
The default configuration of the OFBiz framework offers a blog
functionality. Different users are able to operate blogs which are
related to specific parties. In the form field for the creation of new
blog articles the user input of the summary field as well as the article
field is not properly sanitized. It is possible to inject arbitrary
JavaScript code in these form fields. This code gets executed from the
browser of every user who is visiting this article.

Mitigation:
Upgrade to 16.11.01

Credit: Robert Scholz, ERNW GmbH

References:
http://ofbiz.apache.org/download.html#vulnerabilities