PT-2018-5985 · Apache+1 · Apache Ofbiz+1
Published
2018-01-04
·
Updated
2018-01-24
·
CVE-2017-15714
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Apache OFBiz versions 16.11.01 through 16.11.03
Description:
The issue allows for code injection by passing malicious code through the URL, specifically by exploiting the BIRT plugin's failure to escape user input properties. This can be demonstrated by appending code such as " format=%27;alert(%27xss%27)" to the URL, resulting in the execution of an alert window.
Recommendations:
For Apache OFBiz versions 16.11.01 through 16.11.03, consider restricting access to the BIRT plugin until a fix is available, and avoid passing user input properties directly in URLs to minimize the risk of code injection.
Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Ofbiz
Birt