CVE-2010-0432

Name of the Vulnerable Software and Affected Versions Apache Open For Business Project versions 09.04 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including productStoreId to /control/exportProductListing, partyId to partymgr/control/viewprofile, start to myportal/control/showPortalPage, an invalid URI beginning with /facility/control/ReceiveReturn, contentId (also known as entityName) to ecommerce/control/ViewBlogArticle, entityName to webtools/control/FindGeneric, and subject or content parameters to an unspecified component under ecommerce/control/contactus.

Recommendations For Apache Open For Business Project versions 09.04 and earlier, consider disabling the affected parameters, such as productStoreId, partyId, start, contentId, entityName, subject, and content, until a patch is available. Restrict access to the vulnerable components, including /control/exportProductListing, partymgr/control/viewprofile, myportal/control/showPortalPage, /facility/control/ReceiveReturn, ecommerce/control/ViewBlogArticle, webtools/control/FindGeneric, and ecommerce/control/contactus, to minimize the risk of exploitation.