You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Jacopo Cappellato <ja...@apache.org> on 2013/07/20 18:02:42 UTC
[CVE-2013-2137] Apache OFBiz XSS vulnerability in the "View Log" screen of the Webtools application
CVE-2013-2137 - Apache OFBiz XSS vulnerability in the "View Log" screen of the Webtools application
Vendor:
The Apache Software Foundation
Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01
Description:
XSS vulnerability in the "View Log" screen of the Webtools application because the content of the html log was not properly encoded.
Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02
Credit:
This issue was discovered by Grégory Draperi (gregory.draperi@gmail.com).
References:
http://ofbiz.apache.org/download.html#vulnerabilities
RE: [CVE-2013-2137] Apache OFBiz XSS vulnerability in the "View
Log" screen of the Webtools application
Posted by SirDouglas Cook <si...@hotmail.com>.
Please make the emails to sirdouglascook@hotmail.com stop...
and remove my email addresses from
*gregory.draperi@gmail.com
*security@apache.org
*dev@ofbiz.apache.org
*user@ofbiz.apache.org
*announce@apache.org
*full-disclosure@lists.grok.org.uk
*bugtraq@securityfocus.com
This has been over a month, I am fed up.. I have asked everyone .. everywhere..
I shouldn't have to contact ISP's and Spam forums to shut you down... nor should anyone else.
But for &*^& sakes... remove me from your data bases NOW.
Thank you,
Doug
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this message and any attachments from your system. Thank you.
Avertissement concernant la confidentialité : Ce message et toutes les pièces jointes s'y rattachant sont destinés uniquement et aux fins du destinataire(s) prévu(s), sont confidentiels et peuvent être protégés par le privilège. Si vous n'êtes pas le destinataire prévu, nous vous avisons, par la présente, que toute revue, retransmission, conversion en sortie papier, copie ainsi que toute circulation ou utilisation autre que celle envisagée pour ce message et pour toutes ses pièces jointes sont strictement interdites. Si vous n'êtes pas le destinataire prévu, veuillez immédiatement en aviser l'expéditeur par retour de courrier électronique et supprimez ce message ainsi que toutes les pièces jointes de votre système. Merci.
> From: jacopoc@apache.org
> Subject: [CVE-2013-2137] Apache OFBiz XSS vulnerability in the "View Log" screen of the Webtools application
> Date: Sat, 20 Jul 2013 18:02:42 +0200
> To: gregory.draperi@gmail.com; security@apache.org; dev@ofbiz.apache.org; user@ofbiz.apache.org; announce@apache.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>
> CVE-2013-2137 - Apache OFBiz XSS vulnerability in the "View Log" screen of the Webtools application
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache OFBiz 10.04.01 to 10.04.05
> Apache OFBiz 11.04.01 to 11.04.02
> Apache OFBiz 12.04.01
>
> Description:
>
> XSS vulnerability in the "View Log" screen of the Webtools application because the content of the html log was not properly encoded.
>
> Mitigation:
> 10.04.x users should upgrade to 10.04.06
> 11.04.x users should upgrade to 11.04.03
> 12.04.01 users should upgrade to 12.04.02
>
> Credit:
> This issue was discovered by Grégory Draperi (gregory.draperi@gmail.com).
>
> References:
>
> http://ofbiz.apache.org/download.html#vulnerabilities
>