| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <BA3388CF-DB0C-4EA9-9C9F-1DB880C98D51@apache.org> Date: Fri, 18 Jan 2013 18:09:32 +0100 From: Jacopo Cappellato <jacopoc@...che.org> To: Apache Security Response Team <security@...che.org>, dev@...iz.apache.org, Ofbiz User ML <user@...iz.apache.org> Cc: full-disclosure@...ts.grok.org.uk Subject: [CVE-2013-0177] Cross-Site Scripting (XSS) Vulnerability in Apache OFBiz CVE-2013-0177: Cross-Site Scripting (XSS) Vulnerability in Apache OFBiz Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache OFBiz 11.04.01 Apache OFBiz 10.04.04 and earlier releases in the series (10.04.*) The unsupported Apache OFBiz 09.04.* versions may be also affected Description: Reflected Cross-Site Scripting Vulnerability affecting Screenlet.title and Image.alt Widget attributes because the content of these two elements was not properly escaped. Mitigation: 10.04.* users should upgrade to 10.04.05 11.04.01 users should upgrade to 11.04.02 Credit: This issue was discovered by Marcos Garcia (@artsweb)/ Juan Caillava (@jcaillava) References: http://ofbiz.apache.org/download.html#vulnerabilities _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists