| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <57080D2F.4000407@apache.org> Date: Fri, 8 Apr 2016 21:57:35 +0200 From: "jleroux@...che.org" <jleroux@...che.org> To: oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: CVE-2015-3268: Apache OFBiz information disclosure vulnerability CVE-2015-3268: Apache OFBiz information disclosure vulnerability ========================================== Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache OFBiz 13.07.02 and 13.07.01 Apache OFBiz 12.04.05 and earlier releases in the series (12.04.*) The unsupported releases 11.04.*, 10.04.* and 09.04 versions are also affected (Lilian Iatco reported he tried with r691692, which is early March 2008) Description: Stored Cross-Site Scripting Vulnerability affecting the description attribute of the display-entity element because it was not escaped. Mitigation: 13.07.* users should upgrade to 13.07.03 12.04.05 users should upgrade to 12.04.06 You can find more information at https://issues.apache.org/jira/browse/OFBIZ-6506 Credit: This issue was discovered by Lilian Iatco and reported at https://issues.apache.org/jira/browse/OFBIZ-6506 References: http://ofbiz.apache.org/download.html#vulnerabilities ========================================== Jacques
Powered by blists - more mailing lists