CVE-2017-15714

Name of the Vulnerable Software and Affected Versions: Apache OFBiz versions 16.11.01 through 16.11.03

Description: The issue allows for code injection by passing malicious code through the URL, specifically by exploiting the BIRT plugin's failure to escape user input properties. This can be demonstrated by appending code such as " format=%27;alert(%27xss%27)" to the URL, resulting in the execution of an alert window.

Recommendations: For Apache OFBiz versions 16.11.01 through 16.11.03, consider restricting access to the BIRT plugin until a fix is available, and avoid passing user input properties directly in URLs to minimize the risk of code injection.