Description
Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Juan Caillava · textremotemultiple
https://www.exploit-db.com/exploits/38230
References (9)
Core 9
Core References
Broken Link vdb-entry
x_refsource_osvdb
http://osvdb.org/89453
Vendor Advisory x_refsource_confirm
http://ofbiz.apache.org/download.html#vulnerabilities
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2013/Jan/148
Broken Link vdb-entry
x_refsource_osvdb
http://osvdb.org/89452
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/119673/Apache-OFBiz-Cross-Site-Scripting.html
Broken Link x_refsource_confirm
https://fisheye6.atlassian.com/changelog/ofbiz?cs=1432395
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/81398
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51812
Broken Link x_refsource_confirm
https://fisheye6.atlassian.com/changelog/ofbiz?cs=1432850
Scores
EPSS
0.0421
EPSS Percentile
88.8%
Details
CWE
CWE-79
Status
published
Products (8)
apache/ofbiz
09.04
apache/ofbiz
09.04.01
apache/ofbiz
10.04
apache/ofbiz
10.04.01
apache/ofbiz
10.04.02
apache/ofbiz
10.04.03
apache/ofbiz
10.04.04
apache/ofbiz
11.04.01
Published
Jan 30, 2014
Tracked Since
Feb 18, 2026