CVE-2013-0177

Name of the Vulnerable Software and Affected Versions Apache Open For Business Project (aka OFBiz) versions 10.04.x through 10.04.04 Apache Open For Business Project (aka OFBiz) version 11.04.01 Apache Open For Business Project (aka OFBiz) versions 09.04.x and earlier

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via specific Widget attributes, such as Screenlet.title or Image.alt. An example of exploitation is through the parentPortalPageId parameter to the "/exampleext/control/ManagePortalPages" API endpoint.

Recommendations For Apache Open For Business Project (aka OFBiz) versions 10.04.x through 10.04.04, update to version 10.04.05 or later. For Apache Open For Business Project (aka OFBiz) version 11.04.01, update to a later version. For Apache Open For Business Project (aka OFBiz) versions 09.04.x and earlier, update to a version later than 09.04.x. As a temporary workaround, consider restricting access to the Screenlet.title and Image.alt Widget attributes until a patch is available.