Apache OFBiz CVE-2014-0232 Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	69286
Class:	Input Validation Error
CVE:	CVE-2014-0232
Remote:	Yes
Local:	No
Published:	Aug 19 2014 12:00AM
Updated:	Aug 19 2014 12:00AM
Credit:	Gregory Draperi
Vulnerable:	Apache OfBiz 12.4.3 Apache OfBiz 12.4.2 Apache OfBiz 12.4.1 Apache OfBiz 11.4.4 Apache OfBiz 11.4.3 Apache OfBiz 11.4.2 Apache OfBiz 11.4.1
Not Vulnerable:	Apache OfBiz 12.4.4 Apache OfBiz 11.4.5

Apache OFBiz CVE-2014-0232 Multiple Cross Site Scripting Vulnerabilities

Apache OFBiz is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

The following versions are vulnerable:

Apache OFBiz 11.04.01 through 11.04.04
Apache OFBiz 12.04.01 through 12.04.03

Apache OFBiz CVE-2014-0232 Multiple Cross Site Scripting Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

Apache OFBiz CVE-2014-0232 Multiple Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Apache OFBiz CVE-2014-0232 Multiple Cross Site Scripting Vulnerabilities

References:

• Apache OFBiz Homepage (Apache)
  
• Download Apache OFBiz (Apache Software Foundation)