You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Jacopo Cappellato <ja...@apache.org> on 2020/03/06 09:08:05 UTC

[CVE-2020-1943] Apache OFBiz XSS Vulnerability

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.07

Description:
Data sent with "contentId" to "/control/stream" is not sanitized, allowing
XSS attacks.

Mitigation:
Upgrade to 17.12.01 or manually apply the commits at OFBIZ-10753
----

Credit:
Timon Funck <ti...@syss.de>

References:
http://ofbiz.apache.org/download.html#vulnerabilities