You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/11/29 08:15:30 UTC

svn propchange: r1761986 - svn:log

Author: jleroux
Revision: 1761986
Modified property: svn:log

Modified: svn:log at Tue Nov 29 08:15:30 2016
------------------------------------------------------------------------------
--- svn:log (original)
+++ svn:log Tue Nov 29 08:15:30 2016
@@ -18,3 +18,12 @@ sure it's OK as is
 
 Thanks: Pierre for report, Scott for spotting the issue.
 ------------------------------------------------------------------------
+
+[CVE-2016-6800] Apache OFBiz blog stored XSS vulnerability
+The default configuration of the OFBiz framework offers a blog
+functionality. Different users are able to operate blogs which are
+related to specific parties. In the form field for the creation of new
+blog articles the user input of the summary field as well as the article
+field is not properly sanitized. It is possible to inject arbitrary
+JavaScript code in these form fields. This code gets executed from the
+browser of every user who is visiting this article.