Artsweb

**Name of the Vulnerable Software and Affected Versions** Apache Open For Business Project (aka OFBiz) versions 10.04.x through 10.04.04 Apache Open For Business Project (aka OFBiz) version 11.04.01 Apache Open For Business Project (aka OFBiz) versions 09.04.x and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via specific Widget attributes, such as `Screenlet.title` or `Image.alt`. An example of exploitation is through the `parentPortalPageId` parameter to the "/exampleext/control/ManagePortalPages" API endpoint. **Recommendations** For Apache Open For Business Project (aka OFBiz) versions 10.04.x through 10.04.04, update to version 10.04.05 or later. For Apache Open For Business Project (aka OFBiz) version 11.04.01, update to a later version. For Apache Open For Business Project (aka OFBiz) versions 09.04.x and earlier, update to a version later than 09.04.x. As a temporary workaround, consider restricting access to the `Screenlet.title` and `Image.alt` Widget attributes until a patch is available.