Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <57080D2F.4000407@apache.org>
Date: Fri, 8 Apr 2016 21:57:35 +0200
From: "jleroux@...che.org" <jleroux@...che.org>
To: oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: CVE-2015-3268: Apache OFBiz information disclosure vulnerability

CVE-2015-3268: Apache OFBiz information disclosure vulnerability

==========================================
Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 13.07.02 and 13.07.01
Apache OFBiz 12.04.05 and earlier releases in the series (12.04.*)
The unsupported releases 11.04.*,  10.04.*  and 09.04 versions are also affected (Lilian Iatco reported he tried with r691692, which is early March 2008)

Description:
Stored Cross-Site Scripting Vulnerability affecting the description attribute of the display-entity element because it was not escaped.

Mitigation:
13.07.* users should upgrade to 13.07.03
12.04.05 users should upgrade to 12.04.06
You can find more information at https://issues.apache.org/jira/browse/OFBIZ-6506

Credit:
This issue was discovered by Lilian Iatco and reported at https://issues.apache.org/jira/browse/OFBIZ-6506

References:

http://ofbiz.apache.org/download.html#vulnerabilities

==========================================

Jacques

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.