Apache OFBiz Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	53023
Class:	Input Validation Error
CVE:	CVE-2012-1621
Remote:	Yes
Local:	No
Published:	Apr 16 2012 12:00AM
Updated:	Apr 16 2012 12:00AM
Credit:	Matias Madou
Vulnerable:	Apache Software Foundation OfBiz 10.4.1
Not Vulnerable:	Apache Software Foundation OfBiz 10.4.2

Apache OFBiz Multiple Cross Site Scripting Vulnerabilities

Apache OFBiz is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Apache OFBiz 10.04.01 is vulnerable; other versions may also be affected.

Apache OFBiz Multiple Cross Site Scripting Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

Apache OFBiz Multiple Cross Site Scripting Vulnerabilities

Solution:
Vendor update is available. Please see the references for more information.

Apache OFBiz Multiple Cross Site Scripting Vulnerabilities

References:

• [CVE-2012-1621] Apache OFBiz information disclosure vulnerability (Apache)
  
• Apache OFBiz Homepage (Apache)