5.6 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
78.9%
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.
CPE | Name | Operator | Version |
---|---|---|---|
apache:ofbiz | apache ofbiz | le | 09.04 |
svn.apache.org/viewvc?view=revision&revision=920369
svn.apache.org/viewvc?view=revision&revision=920370
svn.apache.org/viewvc?view=revision&revision=920371
svn.apache.org/viewvc?view=revision&revision=920372
svn.apache.org/viewvc?view=revision&revision=920379
svn.apache.org/viewvc?view=revision&revision=920380
svn.apache.org/viewvc?view=revision&revision=920381
svn.apache.org/viewvc?view=revision&revision=920382
www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
www.securityfocus.com/bid/39489