|
Message-Id: <B9EF2AC5-DED5-4758-AEFB-FFC880D264F6@apache.org>
Date: Tue, 19 Aug 2014 10:06:08 +0200
From: Jacopo Cappellato <jacopoc@...che.org>
To: "user@...iz.apache.org ML" <user@...iz.apache.org>,
dev@...iz.apache.org,
security Team <security@...che.org>,
oss-security@...ts.openwall.com,
bugtraq@...urityfocus.com,
gregory draperi <gregory.draperi@...il.com>
Subject: [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability
CVE-2014-0232: Apache OFBiz Cross-site scripting (XSS) vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache OFBiz 11.04.01 to 11.04.04
Apache OFBiz 12.04.01 to 11.04.03
The unsupported Apache OFBiz 09.04.x, 10.04.x versions may be also affected
Description:
Result and error messages returned by some OFBiz services could be a vector for XSS attacks.
Mitigation:
11.04.x users should upgrade to 11.04.05
12.04.x users should upgrade to 12.04.04
http://svn.apache.org/r1608698
Credit:
This issue was discovered by Gregory Draperi.
References:
http://ofbiz.apache.org/download.html#vulnerabilities
Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.